Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Di5RbqBHf7

Overview

General Information

Sample Name:Di5RbqBHf7 (renamed file extension from none to exe)
Analysis ID:487475
MD5:f11c01cf16a698c1b9ed67d298e10faf
SHA1:3318f0e8406827a459ed38648f8446bf311dbeae
SHA256:14ed1febd3d4699a4c44ab5ea4f00ee9428457b61d519b375c0cdcda8a38c951
Tags:AsyncRATexe
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected AsyncRAT
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Detected VMProtect packer
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Di5RbqBHf7.exe (PID: 6848 cmdline: 'C:\Users\user\Desktop\Di5RbqBHf7.exe' MD5: F11C01CF16A698C1B9ED67D298E10FAF)
    • cmd.exe (PID: 7028 cmdline: 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'fontexport' /tr ''C:\Users\user\AppData\Local\Temp\fontexport.exe'' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5584 cmdline: schtasks /create /f /sc onlogon /rl highest /tn 'fontexport' /tr ''C:\Users\user\AppData\Local\Temp\fontexport.exe'' MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5564 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpCD69.tmp.bat'' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 7076 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • fontexport.exe (PID: 7160 cmdline: 'C:\Users\user\AppData\Local\Temp\fontexport.exe' MD5: F11C01CF16A698C1B9ED67D298E10FAF)
  • fontexport.exe (PID: 7128 cmdline: C:\Users\user\AppData\Local\Temp\fontexport.exe MD5: F11C01CF16A698C1B9ED67D298E10FAF)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.760784794.0000000004115000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000000.00000002.723000914.0000000005410000.00000004.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      0000000A.00000002.756165726.0000000003111000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000000.00000002.717758426.0000000002EF1000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0000000A.00000002.756010982.0000000003090000.00000004.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.fontexport.exe.4116418.7.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              10.2.fontexport.exe.414cf50.6.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                11.2.fontexport.exe.3f46418.4.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  10.2.fontexport.exe.2dbcc7e.2.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    11.2.fontexport.exe.3f45530.3.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      Click to see the 48 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Di5RbqBHf7.exeVirustotal: Detection: 32%Perma Link
                      Source: Di5RbqBHf7.exeReversingLabs: Detection: 55%
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: Di5RbqBHf7.exeAvira: detected
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeVirustotal: Detection: 32%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeReversingLabs: Detection: 55%
                      Machine Learning detection for sampleShow sources
                      Source: Di5RbqBHf7.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeJoe Sandbox ML: detected
                      Source: Di5RbqBHf7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
                      Source: Binary string: _.pdb source: Di5RbqBHf7.exe, 00000000.00000002.723000914.0000000005410000.00000004.00020000.sdmp, fontexport.exe, 0000000A.00000002.760784794.0000000004115000.00000004.00000001.sdmp, fontexport.exe, 0000000B.00000003.733551425.0000000001089000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 92.60.40.226:57939 -> 192.168.2.4:49745
                      Source: Joe Sandbox ViewASN Name: XTOMxTomEU XTOMxTomEU
                      Source: global trafficTCP traffic: 192.168.2.4:49745 -> 92.60.40.226:57939
                      Source: fontexport.exe, 0000000B.00000002.930323462.000000000103D000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: fontexport.exe, 0000000B.00000002.930323462.000000000103D000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: fontexport.exe, 0000000B.00000002.930323462.000000000103D000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.11.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: fontexport.exe, 0000000B.00000003.755353369.0000000005C7E000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?62b30017d2440
                      Source: Di5RbqBHf7.exe, 00000000.00000002.718194024.0000000002FF2000.00000004.00000001.sdmp, fontexport.exe, 0000000B.00000002.932175096.0000000002FE2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: unknownDNS traffic detected: queries for: windowssupport1256.myvnc.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 10.2.fontexport.exe.4116418.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.414cf50.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f46418.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbcc7e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f45530.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0cc7e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.4116418.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7cc7e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.5630000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5490000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3f2cf50.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef6418.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.Di5RbqBHf7.exe.dd4798.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5490000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.4115530.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.fontexport.exe.10530c8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410ee8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f45530.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f7cf50.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.54e0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.fontexport.exe.f5be40.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f46418.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0db66.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbdb66.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.fontexport.exe.10530c8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef6418.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.5630000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0cc7e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090ee8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.fontexport.exe.f5be40.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0db66.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460ee8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef5530.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.4115530.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.54e0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3f2cf50.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f7cf50.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbcc7e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbdb66.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410ee8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.414cf50.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7cc7e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7db66.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef5530.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460ee8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7db66.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.760784794.0000000004115000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.723000914.0000000005410000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.756165726.0000000003111000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.717758426.0000000002EF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.756010982.0000000003090000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.933463091.0000000003F45000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.668587609.0000000000DD4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.933572791.0000000005460000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.761044345.0000000005630000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.931691350.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.932262130.0000000003013000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.727660213.0000000000F5B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.933755258.00000000054E0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.716855418.0000000002C3C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.729198184.0000000001053000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.755269158.0000000002D7C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.719786206.0000000003EF5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.723116148.0000000005490000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.931138547.0000000002CCC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Di5RbqBHf7.exe PID: 6848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fontexport.exe PID: 7128, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fontexport.exe PID: 7160, type: MEMORYSTR

                      Operating System Destruction:

                      barindex
                      Protects its processes via BreakOnTermination flagShow sources
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: 00 00 00 00 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary:

                      barindex
                      Detected VMProtect packerShow sources
                      Source: fontexport.exe.0.drStatic PE information: .vmp0 and .vmp1 section names
                      Source: Di5RbqBHf7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeCode function: 0_2_02D4DF780_2_02D4DF78
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeCode function: 0_2_02D40C300_2_02D40C30
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 10_2_02EFDF7810_2_02EFDF78
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 10_2_02EF0FF110_2_02EF0FF1
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 10_2_02EF0C3010_2_02EF0C30
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 10_2_02EF0C1010_2_02EF0C10
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 11_2_02A2DF7811_2_02A2DF78
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 11_2_02A20C3011_2_02A20C30
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 11_2_0552E73811_2_0552E738
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 11_2_0552F00811_2_0552F008
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 11_2_0552E3F011_2_0552E3F0
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 11_2_0678081811_2_06780818
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 11_2_0678456011_2_06784560
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 11_2_0678455011_2_06784550
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 11_2_0678221111_2_06782211
                      Source: Di5RbqBHf7.exe, 00000000.00000002.723000914.0000000005410000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs Di5RbqBHf7.exe
                      Source: Di5RbqBHf7.exe, 00000000.00000002.723000914.0000000005410000.00000004.00020000.sdmpBinary or memory string: OriginalFilename_.dll4 vs Di5RbqBHf7.exe
                      Source: Di5RbqBHf7.exe, 00000000.00000002.717758426.0000000002EF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Di5RbqBHf7.exe
                      Source: Di5RbqBHf7.exeBinary or memory string: OriginalFilenameStub.exe" vs Di5RbqBHf7.exe
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: msvcr120_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: bcrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: cldapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: msvcr120_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: bcrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: msvcr120_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: bcrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: cryptnet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: Di5RbqBHf7.exeVirustotal: Detection: 32%
                      Source: Di5RbqBHf7.exeReversingLabs: Detection: 55%
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeFile read: C:\Users\user\Desktop\Di5RbqBHf7.exeJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Di5RbqBHf7.exe 'C:\Users\user\Desktop\Di5RbqBHf7.exe'
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'fontexport' /tr ''C:\Users\user\AppData\Local\Temp\fontexport.exe'' & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpCD69.tmp.bat''
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'fontexport' /tr ''C:\Users\user\AppData\Local\Temp\fontexport.exe''
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fontexport.exe C:\Users\user\AppData\Local\Temp\fontexport.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\fontexport.exe 'C:\Users\user\AppData\Local\Temp\fontexport.exe'
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'fontexport' /tr ''C:\Users\user\AppData\Local\Temp\fontexport.exe'' & exitJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpCD69.tmp.bat''Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'fontexport' /tr ''C:\Users\user\AppData\Local\Temp\fontexport.exe'' Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\fontexport.exe 'C:\Users\user\AppData\Local\Temp\fontexport.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Di5RbqBHf7.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeFile created: C:\Users\user\AppData\Local\Temp\fontexport.exeJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@15/7@1/1
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_01
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpCD69.tmp.bat''
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Di5RbqBHf7.exeStatic file information: File size 5477888 > 1048576
                      Source: Di5RbqBHf7.exeStatic PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x538a00
                      Source: Binary string: _.pdb source: Di5RbqBHf7.exe, 00000000.00000002.723000914.0000000005410000.00000004.00020000.sdmp, fontexport.exe, 0000000A.00000002.760784794.0000000004115000.00000004.00000001.sdmp, fontexport.exe, 0000000B.00000003.733551425.0000000001089000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeCode function: 0_2_00799741 push ebp; ret 0_2_00C6105A
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeCode function: 0_2_02D440BC push cs; iretd 0_2_02D440BF
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeCode function: 0_2_02D44C77 push ebx; ret 0_2_02D44C7A
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeCode function: 0_2_02D4402E pushfd ; iretd 0_2_02D44031
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 10_2_02EF40BC push cs; iretd 10_2_02EF40BF
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 10_2_02EF4C77 push ebx; ret 10_2_02EF4C7A
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 10_2_02EF402E pushfd ; iretd 10_2_02EF4031
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 11_2_02A240BC push cs; iretd 11_2_02A240BF
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 11_2_02A2402E pushfd ; iretd 11_2_02A24031
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 11_2_02A24C77 push ebx; ret 11_2_02A24C7A
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeCode function: 11_2_0678B153 push es; ret 11_2_0678B154
                      Source: Di5RbqBHf7.exeStatic PE information: section name: .vmp0
                      Source: Di5RbqBHf7.exeStatic PE information: section name: .vmp1
                      Source: fontexport.exe.0.drStatic PE information: section name: .vmp0
                      Source: fontexport.exe.0.drStatic PE information: section name: .vmp1
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeFile created: C:\Users\user\AppData\Local\Temp\fontexport.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 10.2.fontexport.exe.4116418.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.414cf50.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f46418.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbcc7e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f45530.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0cc7e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.4116418.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7cc7e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.5630000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5490000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3f2cf50.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef6418.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.Di5RbqBHf7.exe.dd4798.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5490000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.4115530.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.fontexport.exe.10530c8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410ee8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f45530.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f7cf50.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.54e0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.fontexport.exe.f5be40.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f46418.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0db66.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbdb66.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.fontexport.exe.10530c8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef6418.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.5630000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0cc7e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090ee8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.fontexport.exe.f5be40.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0db66.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460ee8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef5530.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.4115530.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.54e0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3f2cf50.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f7cf50.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbcc7e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbdb66.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410ee8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.414cf50.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7cc7e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7db66.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef5530.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460ee8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7db66.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.760784794.0000000004115000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.723000914.0000000005410000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.756165726.0000000003111000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.717758426.0000000002EF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.756010982.0000000003090000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.933463091.0000000003F45000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.668587609.0000000000DD4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.933572791.0000000005460000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.761044345.0000000005630000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.931691350.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.932262130.0000000003013000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.727660213.0000000000F5B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.933755258.00000000054E0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.716855418.0000000002C3C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.729198184.0000000001053000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.755269158.0000000002D7C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.719786206.0000000003EF5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.723116148.0000000005490000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.931138547.0000000002CCC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Di5RbqBHf7.exe PID: 6848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fontexport.exe PID: 7128, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fontexport.exe PID: 7160, type: MEMORYSTR
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'fontexport' /tr ''C:\Users\user\AppData\Local\Temp\fontexport.exe''

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 28F0005 value: E9 FB BF 7F 74 Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 770EC000 value: E9 0A 40 80 8B Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 2A00008 value: E9 AB E0 72 74 Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 7712E0B0 value: E9 60 1F 8D 8B Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 2A20005 value: E9 CB 5A BB 71 Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 745D5AD0 value: E9 3A A5 44 8E Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 2A30005 value: E9 5B B0 BC 71 Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 745FB060 value: E9 AA 4F 43 8E Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 2A40005 value: E9 DB F8 07 72 Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 74ABF8E0 value: E9 2A 07 F8 8D Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 2A50005 value: E9 FB 42 09 72 Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 74AE4300 value: E9 0A BD F6 8D Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 2A70005 value: E9 FB 99 6A 74 Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory written: PID: 6848 base: 77119A00 value: E9 0A 66 95 8B Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 2A20005 value: E9 FB BF 6C 74 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 770EC000 value: E9 0A 40 93 8B Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 2B30008 value: E9 AB E0 5F 74 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 7712E0B0 value: E9 60 1F A0 8B Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 2B50005 value: E9 CB 5A A8 71 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 745D5AD0 value: E9 3A A5 57 8E Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 2B60005 value: E9 5B B0 A9 71 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 745FB060 value: E9 AA 4F 56 8E Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 2B70005 value: E9 DB F8 F4 71 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 74ABF8E0 value: E9 2A 07 0B 8E Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 2B90005 value: E9 FB 42 F5 71 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 74AE4300 value: E9 0A BD 0A 8E Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 2BB0005 value: E9 FB 99 56 74 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7128 base: 77119A00 value: E9 0A 66 A9 8B Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: F40005 value: E9 FB BF 1A 76 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: 770EC000 value: E9 0A 40 E5 89 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: F50008 value: E9 AB E0 1D 76 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: 7712E0B0 value: E9 60 1F E2 89 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: F70005 value: E9 CB 5A 66 73 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: 745D5AD0 value: E9 3A A5 99 8C Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: F80005 value: E9 5B B0 67 73 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: 745FB060 value: E9 AA 4F 98 8C Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: F90005 value: E9 DB F8 B2 73 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: 74ABF8E0 value: E9 2A 07 4D 8C Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: FA0005 value: E9 FB 42 B4 73 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: 74AE4300 value: E9 0A BD 4B 8C Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: FB0005 value: E9 FB 99 16 76 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory written: PID: 7160 base: 77119A00 value: E9 0A 66 E9 89 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 10.2.fontexport.exe.4116418.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.414cf50.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f46418.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbcc7e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f45530.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0cc7e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.4116418.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7cc7e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.5630000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5490000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3f2cf50.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef6418.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.Di5RbqBHf7.exe.dd4798.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5490000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.4115530.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.fontexport.exe.10530c8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410ee8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f45530.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f7cf50.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.54e0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.fontexport.exe.f5be40.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f46418.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0db66.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbdb66.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.fontexport.exe.10530c8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef6418.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.5630000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0cc7e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090ee8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.fontexport.exe.f5be40.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0db66.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460ee8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef5530.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.4115530.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.54e0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3f2cf50.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f7cf50.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbcc7e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbdb66.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410ee8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.414cf50.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7cc7e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7db66.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef5530.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460ee8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7db66.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.760784794.0000000004115000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.723000914.0000000005410000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.756165726.0000000003111000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.717758426.0000000002EF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.756010982.0000000003090000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.933463091.0000000003F45000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.668587609.0000000000DD4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.933572791.0000000005460000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.761044345.0000000005630000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.931691350.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.932262130.0000000003013000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.727660213.0000000000F5B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.933755258.00000000054E0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.716855418.0000000002C3C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.729198184.0000000001053000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.755269158.0000000002D7C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.719786206.0000000003EF5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.723116148.0000000005490000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.931138547.0000000002CCC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Di5RbqBHf7.exe PID: 6848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fontexport.exe PID: 7128, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fontexport.exe PID: 7160, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Di5RbqBHf7.exe, 00000000.00000002.712115124.0000000000426000.00000020.00020000.sdmp, fontexport.exe, 0000000A.00000002.750374949.0000000000426000.00000020.00020000.sdmp, fontexport.exe, 0000000B.00000002.928788031.0000000000426000.00000020.00020000.sdmpBinary or memory string: 2SBIEDLL.DLL
                      Source: Di5RbqBHf7.exe, 00000000.00000002.717758426.0000000002EF1000.00000004.00000001.sdmp, fontexport.exe, 0000000A.00000002.756165726.0000000003111000.00000004.00000001.sdmp, fontexport.exe, 0000000B.00000002.931691350.0000000002F41000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Di5RbqBHf7.exe, 00000000.00000002.712115124.0000000000426000.00000020.00020000.sdmp, fontexport.exe, 0000000A.00000002.750374949.0000000000426000.00000020.00020000.sdmp, fontexport.exe, 0000000B.00000002.928788031.0000000000426000.00000020.00020000.sdmpBinary or memory string: 2SBIEDLL.DLL$
                      Tries to detect virtualization through RDTSC time measurementsShow sources
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeRDTSC instruction interceptor: First address: 00000000007ED657 second address: 00000000007ED65C instructions: 0x00000000 rdtsc 0x00000002 rcl ah, cl 0x00000004 pop edi 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeRDTSC instruction interceptor: First address: 00000000005DD38D second address: 000000000060B6BB instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 clc 0x00000004 sets al 0x00000007 pop ebx 0x00000008 pop eax 0x00000009 dec si 0x0000000c bsf esi, ebp 0x0000000f pop ecx 0x00000010 sub dl, 00000056h 0x00000013 clc 0x00000014 bswap si 0x00000017 popfd 0x00000018 cmovo dx, dx 0x0000001c mov dx, si 0x0000001f setno dh 0x00000022 pop esi 0x00000023 xchg dl, dh 0x00000025 pop edx 0x00000026 jmp 00007FE218A866C5h 0x0000002b ret 0x0000002c push EF85D3FCh 0x00000031 call 00007FE218B86C51h 0x00000036 pushfd 0x00000037 cmc 0x00000038 push esi 0x00000039 rcr esi, 43h 0x0000003c rol si, 0060h 0x00000040 push ebx 0x00000041 btr ebx, 25h 0x00000045 push ebp 0x00000046 bts si, di 0x0000004a push eax 0x0000004b btr ebx, ebp 0x0000004e lahf 0x0000004f rol al, 00000039h 0x00000052 push ecx 0x00000053 push edx 0x00000054 btr ax, dx 0x00000058 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeRDTSC instruction interceptor: First address: 00000000007ED657 second address: 00000000007ED65C instructions: 0x00000000 rdtsc 0x00000002 rcl ah, cl 0x00000004 pop edi 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeRDTSC instruction interceptor: First address: 00000000005DD38D second address: 000000000060B6BB instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 clc 0x00000004 sets al 0x00000007 pop ebx 0x00000008 pop eax 0x00000009 dec si 0x0000000c bsf esi, ebp 0x0000000f pop ecx 0x00000010 sub dl, 00000056h 0x00000013 clc 0x00000014 bswap si 0x00000017 popfd 0x00000018 cmovo dx, dx 0x0000001c mov dx, si 0x0000001f setno dh 0x00000022 pop esi 0x00000023 xchg dl, dh 0x00000025 pop edx 0x00000026 jmp 00007FE218A866C5h 0x0000002b ret 0x0000002c push EF85D3FCh 0x00000031 call 00007FE218B86C51h 0x00000036 pushfd 0x00000037 cmc 0x00000038 push esi 0x00000039 rcr esi, 43h 0x0000003c rol si, 0060h 0x00000040 push ebx 0x00000041 btr ebx, 25h 0x00000045 push ebp 0x00000046 bts si, di 0x0000004a push eax 0x0000004b btr ebx, ebp 0x0000004e lahf 0x0000004f rol al, 00000039h 0x00000052 push ecx 0x00000053 push edx 0x00000054 btr ax, dx 0x00000058 rdtsc
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exe TID: 6952Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exe TID: 5992Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exe TID: 6204Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exe TID: 5040Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeWindow / User API: threadDelayed 5889Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeWindow / User API: threadDelayed 3505Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory allocated: 2D30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory allocated: 4EF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory allocated: 5110000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory allocated: 2A10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory allocated: 2F40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeMemory allocated: 4F40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: fontexport.exe, 0000000B.00000002.931691350.0000000002F41000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: fontexport.exe, 0000000B.00000003.757786236.00000000010E9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: fontexport.exe, 0000000B.00000002.930323462.000000000103D000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW`
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'fontexport' /tr ''C:\Users\user\AppData\Local\Temp\fontexport.exe'' & exitJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpCD69.tmp.bat''Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'fontexport' /tr ''C:\Users\user\AppData\Local\Temp\fontexport.exe'' Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\fontexport.exe 'C:\Users\user\AppData\Local\Temp\fontexport.exe' Jump to behavior
                      Source: fontexport.exe, 0000000B.00000002.932307800.000000000302D000.00000004.00000001.sdmpBinary or memory string: Program Manager
                      Source: fontexport.exe, 0000000B.00000002.930563782.0000000001590000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: fontexport.exe, 0000000B.00000002.930563782.0000000001590000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: fontexport.exe, 0000000B.00000003.919354813.0000000005C93000.00000004.00000001.sdmpBinary or memory string: Program ManagerS
                      Source: fontexport.exe, 0000000B.00000002.930563782.0000000001590000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Di5RbqBHf7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 10.2.fontexport.exe.4116418.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.414cf50.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f46418.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbcc7e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f45530.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0cc7e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.4116418.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7cc7e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.5630000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5490000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3f2cf50.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef6418.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.Di5RbqBHf7.exe.dd4798.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5490000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.4115530.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.fontexport.exe.10530c8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410ee8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f45530.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f7cf50.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.54e0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.fontexport.exe.f5be40.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f46418.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0db66.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbdb66.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090ee8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.fontexport.exe.10530c8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef6418.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.5630000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0cc7e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.3090ee8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.fontexport.exe.f5be40.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.2d0db66.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460ee8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef5530.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.4115530.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.54e0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3f2cf50.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.3f7cf50.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbcc7e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.2dbdb66.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.5410ee8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.fontexport.exe.414cf50.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7cc7e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7db66.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.3ef5530.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.fontexport.exe.5460ee8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Di5RbqBHf7.exe.2c7db66.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.760784794.0000000004115000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.723000914.0000000005410000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.756165726.0000000003111000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.717758426.0000000002EF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.756010982.0000000003090000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.933463091.0000000003F45000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.668587609.0000000000DD4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.933572791.0000000005460000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.761044345.0000000005630000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.931691350.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.932262130.0000000003013000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.727660213.0000000000F5B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.933755258.00000000054E0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.716855418.0000000002C3C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.729198184.0000000001053000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.755269158.0000000002D7C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.719786206.0000000003EF5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.723116148.0000000005490000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.931138547.0000000002CCC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Di5RbqBHf7.exe PID: 6848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fontexport.exe PID: 7128, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fontexport.exe PID: 7160, type: MEMORYSTR
                      Source: C:\Users\user\AppData\Local\Temp\fontexport.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: fontexport.exe, 0000000B.00000003.792869869.0000000005CAB000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1Scheduled Task/Job2Process Injection12Masquerading1Credential API Hooking1Query Registry1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job2DLL Side-Loading1Scheduled Task/Job2Disable or Modify Tools1LSASS MemorySecurity Software Discovery321Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsScripting1Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information11Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery113Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 487475 Sample: Di5RbqBHf7 Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 4 other signatures 2->42 7 Di5RbqBHf7.exe 7 2->7         started        11 fontexport.exe 3 2->11         started        process3 file4 30 C:\Users\user\AppData\...\fontexport.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\...\Di5RbqBHf7.exe.log, ASCII 7->32 dropped 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->48 50 Protects its processes via BreakOnTermination flag 7->50 52 Tries to detect virtualization through RDTSC time measurements 7->52 13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        54 Antivirus detection for dropped file 11->54 56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 signatures5 process6 signatures7 18 fontexport.exe 2 13->18         started        22 conhost.exe 13->22         started        24 timeout.exe 1 13->24         started        60 Uses schtasks.exe or at.exe to add and modify task schedules 15->60 26 conhost.exe 15->26         started        28 schtasks.exe 1 15->28         started        process8 dnsIp9 34 windowssupport1256.myvnc.com 92.60.40.226, 49745, 57939 XTOMxTomEU United Kingdom 18->34 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->44 46 Protects its processes via BreakOnTermination flag 18->46 signatures10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Di5RbqBHf7.exe32%VirustotalBrowse
                      Di5RbqBHf7.exe56%ReversingLabsWin32.Backdoor.Crysan
                      Di5RbqBHf7.exe100%AviraTR/Crypt.XPACK.Gen
                      Di5RbqBHf7.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\fontexport.exe100%AviraTR/Crypt.XPACK.Gen
                      C:\Users\user\AppData\Local\Temp\fontexport.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\fontexport.exe32%VirustotalBrowse
                      C:\Users\user\AppData\Local\Temp\fontexport.exe56%ReversingLabsWin32.Backdoor.Crysan

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      11.0.fontexport.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      10.0.fontexport.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      10.2.fontexport.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      11.2.fontexport.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.Di5RbqBHf7.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.0.Di5RbqBHf7.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      windowssupport1256.myvnc.com2%VirustotalBrowse

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      windowssupport1256.myvnc.com
                      		92.60.40.226
                      		truetrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDi5RbqBHf7.exe, 00000000.00000002.718194024.0000000002FF2000.00000004.00000001.sdmp, fontexport.exe, 0000000B.00000002.932175096.0000000002FE2000.00000004.00000001.sdmpfalse
                        		high

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        92.60.40.226
                        		windowssupport1256.myvnc.comUnited Kingdom
                        		3214XTOMxTomEUtrue

                        General Information

                        Joe Sandbox Version:33.0.0 White Diamond
                        Analysis ID:487475
                        Start date:21.09.2021
                        Start time:17:42:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 10m 27s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:Di5RbqBHf7 (renamed file extension from none to exe)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:20
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@15/7@1/1
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 0.4% (good quality ratio 0.4%)
                        • Quality average: 31%
                        • Quality standard deviation: 15%
                        HCA Information:
                        • Successful, ratio: 58%
                        • Number of executed functions: 142
                        • Number of non-executed functions: 1
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.50.102.62, 13.107.4.50, 20.54.110.249, 40.112.88.60, 204.79.197.200, 13.107.21.200, 80.67.82.235, 80.67.82.211, 20.82.210.154
                        • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, b1ns.c-0001.c-msedge.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, b1ns.au-msedge.net, www.bing.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        17:43:20Task SchedulerRun new task: fontexport path: "C:\Users\user\AppData\Local\Temp\fontexport.exe"
                        17:43:39API Interceptor1x Sleep call for process: fontexport.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        XTOMxTomEUUpdated SOA.exeGet hashmaliciousBrowse
                        • 185.33.94.22
                        Revised_PO_758869.docxGet hashmaliciousBrowse
                        • 185.255.55.12
                        Revised_PO_758869.docxGet hashmaliciousBrowse
                        • 185.255.55.12
                        jt50apTCUS.docxGet hashmaliciousBrowse
                        • 185.255.55.12
                        jt50apTCUS.docxGet hashmaliciousBrowse
                        • 185.255.55.12
                        HdaPJuN3ad.exeGet hashmaliciousBrowse
                        • 45.80.191.125
                        hwtVPZ3Oeh.exeGet hashmaliciousBrowse
                        • 45.80.191.125
                        wGIJWTsyOY.exeGet hashmaliciousBrowse
                        • 45.80.191.125
                        printabledocx.dllGet hashmaliciousBrowse
                        • 147.78.176.27
                        http://78.142.194.53/ap/signin?openid.pape.max_auth_age=0&openid.return_to=https%3A%2F%2Fwww.amazon.co.jp%2F%3Fref_%3Dnav_em_hd_re_signin&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=jpflex&openid.mode=checkid_setup&key=a@b.c&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&&ref_=nav_em_hd_clc_signinGet hashmaliciousBrowse
                        • 78.142.194.53
                        mIgJVcfrW2.exeGet hashmaliciousBrowse
                        • 147.78.176.27
                        redd.exeGet hashmaliciousBrowse
                        • 147.78.176.27
                        SecuriteInfo.com.UDS.DangerousObject.Multi.Generic.dllGet hashmaliciousBrowse
                        • 147.78.176.27
                        Invoice_050820.docGet hashmaliciousBrowse
                        • 147.78.176.27
                        9279cddst.exeGet hashmaliciousBrowse
                        • 185.255.55.29
                        9199cddst.exeGet hashmaliciousBrowse
                        • 185.255.55.29
                        9829cddst.exeGet hashmaliciousBrowse
                        • 185.255.55.29
                        6269cddst.exeGet hashmaliciousBrowse
                        • 185.255.55.29
                        9329cddst.exeGet hashmaliciousBrowse
                        • 185.255.55.29
                        6069cddst.exeGet hashmaliciousBrowse
                        • 185.255.55.29

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                        Process:C:\Users\user\AppData\Local\Temp\fontexport.exe
                        File Type:Microsoft Cabinet archive data, 61157 bytes, 1 file
                        Category:dropped
                        Size (bytes):61157
                        Entropy (8bit):7.995991509218449
                        Encrypted:true
                        SSDEEP:1536:ppUkcaDREfLNPj1tHqn+ZQgYXAMxCbG0Ra0HMSAKMgAAaE1k:7UXaDR0NPj1Vi++xQFa07sTgAQ1k
                        MD5:AB5C36D10261C173C5896F3478CDC6B7
                        SHA1:87AC53810AD125663519E944BC87DED3979CBEE4
                        SHA-256:F8E90FB0557FE49D7702CFB506312AC0B24C97802F9C782696DB6D47F434E8E9
                        SHA-512:E83E4EAE44E7A9CBCD267DBFC25A7F4F68B50591E3BBE267324B1F813C9220D565B284994DED5F7D2D371D50E1EBFA647176EC8DE9716F754C6B5785C6E897FA
                        Malicious:false
                        Reputation:low
                        Preview: MSCF............,...................I........t........*S{I .authroot.stl..p.(.5..CK..8U....u.}M7{v!.\D.u.....F.eWI.!e..B2QIR..$4.%.3eK$J. ......9w4...=.9..}...~....$..h..ye.A..;....|. O6.a0xN....9..C..t.z.,..d`.c...(5.....<..1.|..2.1.0.g.4yw..eW.#.x....+.oF....8.t...Y....q.M.....HB.^y^a...)..GaV"|..+.'..f..V.y.b.V.PV......`..9+..\0.g...!.s..a....Q...........~@$.....8..(g..tj....=,V)v.s.d.].xqX4.....s....K..6.tH.....p~.2..!..<./X......r.. ?(.\[. H...#?.H.".. p.V.}.`L...P0.y....|...A..(...&..3.ag...c..7.T=....ip.Ta..F.....'..BsV...0.....f....Lh.f..6....u.....Mqm.,...@.WZ.={,;.J...)...{_Ao....T......xJmH.#..>.f..RQT.Ul(..AV..|.!k0...|\......U2U..........,9..+.\R..(.[.'M........0.o..,.t.#..>y.!....!X<o.....w...'......a.'..og+>..|.s.g.Wr.2K.=...5.YO.E.V.....`.O..[.d.....c..g....A..=....k..u2..Y.}.......C...\=...&...U.e...?...z.'..$..fj.'|.c....4y.".T.....X....@xpQ.,.q.."...t.... $.F..O.A.o_}d.3...z...F?..-...Fy...W#...1......T.3....x.
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                        Process:C:\Users\user\AppData\Local\Temp\fontexport.exe
                        File Type:data
                        Category:modified
                        Size (bytes):326
                        Entropy (8bit):3.08619916781087
                        Encrypted:false
                        SSDEEP:6:kK4Gkl2dFN+SkQlPlEGYRMY9z+4KlDA3RUeOlEfcTt:dT2kPlE99SNxAhUefit
                        MD5:9E176AC34B6E84BCA13A02DB8F71F422
                        SHA1:57DE7AC3EC10FB55F4953A02B5E26F6A34002E86
                        SHA-256:D63C6EE0AE8A39549F9D35C578B9D36BA2E182001C8D2F4C4DEA02F93921F6C3
                        SHA-512:EDEB1812A92D400A1B3CD7F04E7C8EC471A01CD230D5A8DF067EA3E52E8D994589ADF1E6D4D84E602A694A539FAE14E14A4AEEC452FA83FD6E0A2DF1A7117823
                        Malicious:false
                        Preview: p...... .........4.r....(....................................................... ...........^.......$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.a.a.8.a.1.5.e.a.6.d.7.1.:.0."...
                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Di5RbqBHf7.exe.log
                        Process:C:\Users\user\Desktop\Di5RbqBHf7.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):617
                        Entropy (8bit):5.347480285514745
                        Encrypted:false
                        SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat92n4M6:MLUE4K5E4Ks2wKDE4KhK3VZ9pKhg84j
                        MD5:FFB445FE1FBBAC8029A8E63A21F68CBC
                        SHA1:2ED10B7DE94566F57A3620EA2E842F485740AA97
                        SHA-256:7FD3AFC4B0EBBA8611FF296B18B63A4C5AA5E089EA825E227C19ADEA0064A42F
                        SHA-512:DEC001FA43046C4516E7628EB5E45918AED3F634A6FE1FAD35F0FEE76FAFE09CF2FA4D9BD807B81663E68507E7D0AC4C00208AC9B86428CF657103D5F7AFD4E4
                        Malicious:true
                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fontexport.exe.log
                        Process:C:\Users\user\AppData\Local\Temp\fontexport.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):617
                        Entropy (8bit):5.347480285514745
                        Encrypted:false
                        SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat92n4M6:MLUE4K5E4Ks2wKDE4KhK3VZ9pKhg84j
                        MD5:FFB445FE1FBBAC8029A8E63A21F68CBC
                        SHA1:2ED10B7DE94566F57A3620EA2E842F485740AA97
                        SHA-256:7FD3AFC4B0EBBA8611FF296B18B63A4C5AA5E089EA825E227C19ADEA0064A42F
                        SHA-512:DEC001FA43046C4516E7628EB5E45918AED3F634A6FE1FAD35F0FEE76FAFE09CF2FA4D9BD807B81663E68507E7D0AC4C00208AC9B86428CF657103D5F7AFD4E4
                        Malicious:false
                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                        C:\Users\user\AppData\Local\Temp\fontexport.exe
                        Process:C:\Users\user\Desktop\Di5RbqBHf7.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):5477888
                        Entropy (8bit):7.943820293934332
                        Encrypted:false
                        SSDEEP:98304:ePUgQFmj1OSkPX36/NuZdq3GPmx8UDYWtJUMSWL8j8muZAblgCKnoBF0AbU83/:ecSj1D+E4Zdq3lx8Y/eMSWL8jeGyfnxA
                        MD5:F11C01CF16A698C1B9ED67D298E10FAF
                        SHA1:3318F0E8406827A459ED38648F8446BF311DBEAE
                        SHA-256:14ED1FEBD3D4699A4C44AB5EA4F00EE9428457B61D519B375C0CDCDA8A38C951
                        SHA-512:E9F27AD805BB225119127B355A34C2F64FB44B18D164BE8E7414A1E395028939F1C22A233FC64963DAC2F4CC47386F84B00A6A1076EE09EB5FBB082223D52900
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Virustotal, Detection: 32%, Browse
                        • Antivirus: ReversingLabs, Detection: 56%
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t..P..........#..........Z......A.9...........@...................................S.....................................L.}.........................................................................@.............:.p............................text............................... ..`.rdata...m..........................@..@.data....0... ......................@....vmp0...#.3..`......................`..`.vmp1.....S...6...S.................`..`.rsrc.................S.............@..@................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Users\user\AppData\Local\Temp\tmpCD69.tmp.bat
                        Process:C:\Users\user\Desktop\Di5RbqBHf7.exe
                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):157
                        Entropy (8bit):4.953732371979108
                        Encrypted:false
                        SSDEEP:3:mKDDCMNqTtvL5ot+kiE2J5xAILbmqRDt+kiE2J5xAInTRIMFcLRozVZPy:hWKqTtT6wkn23f/mq1wkn23fTtmLRoze
                        MD5:45668761F3B47D1D48E571BDC6AAC53D
                        SHA1:447F69A10A6683DB26AA4231E34057DAB08FA733
                        SHA-256:03CEE48C3B1409EA0D3FCCEA9D6C1BEEC3E426552864C08B9F28BDB3D68680D3
                        SHA-512:DE403512E46173778D9F00DD79570F7B67CB1D09F057DE18BE17A6DA2133399370636CA2DD6945902F56E577B68018A7BDFD4C90A8E9C5AE6C18C18CD6D403BE
                        Malicious:false
                        Preview: @echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Local\Temp\fontexport.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpCD69.tmp.bat" /f /q..
                        \Device\Null
                        Process:C:\Windows\SysWOW64\timeout.exe
                        File Type:ASCII text, with CRLF line terminators, with overstriking
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.41440934524794
                        Encrypted:false
                        SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                        MD5:3DD7DD37C304E70A7316FE43B69F421F
                        SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                        SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                        SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                        Malicious:false
                        Preview: ..Waiting for 3 seconds, press a key to continue ....2.1.0..

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.943820293934332
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.94%
                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:Di5RbqBHf7.exe
                        File size:5477888
                        MD5:f11c01cf16a698c1b9ed67d298e10faf
                        SHA1:3318f0e8406827a459ed38648f8446bf311dbeae
                        SHA256:14ed1febd3d4699a4c44ab5ea4f00ee9428457b61d519b375c0cdcda8a38c951
                        SHA512:e9f27ad805bb225119127b355a34c2f64fb44b18d164be8e7414a1e395028939f1c22a233fc64963dac2f4cc47386f84b00a6a1076ee09eb5fbb082223d52900
                        SSDEEP:98304:ePUgQFmj1OSkPX36/NuZdq3GPmx8UDYWtJUMSWL8j8muZAblgCKnoBF0AbU83/:ecSj1D+E4Zdq3lx8Y/eMSWL8jeGyfnxA
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t..P..........#..........Z......A.9...........@...................................S....................................

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x799741
                        Entrypoint Section:.vmp1
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
                        DLL Characteristics:TERMINAL_SERVER_AWARE
                        Time Stamp:0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:0
                        File Version Major:5
                        File Version Minor:0
                        Subsystem Version Major:5
                        Subsystem Version Minor:0
                        Import Hash:172750858dcc0719eed08c952858023c

                        Entrypoint Preview

                        Instruction
                        push B7738054h
                        call 00007FE218E18B2Bh
                        add ebp, ecx
                        jmp 00007FE218AEF2A4h
                        xor ecx, 6A1F2F75h
                        stc
                        clc
                        rol ecx, 1
                        test di, 309Fh
                        bswap ecx
                        cmc
                        clc
                        test esp, ecx
                        xor ebx, ecx
                        clc
                        jmp 00007FE218F1A687h
                        setnp dh
                        pushfd
                        pop dword ptr [edi]
                        and dx, bx
                        xor dh, 00000055h
                        mov edx, dword ptr [ebp+00h]
                        add ebp, 00000004h
                        cmp bx, si
                        test si, 466Ch
                        xor edx, ebx
                        clc
                        add edx, 51101B64h
                        cmc
                        clc
                        ror edx, 1
                        cmp eax, edi
                        test bh, 00000064h
                        cmc
                        lea edx, dword ptr [edx-2D945DAAh]
                        cmp dl, 0000002Fh
                        xor edx, 01150CA7h
                        clc
                        test eax, esp
                        sub edx, 4D5C2FD8h
                        stc
                        cmc
                        bswap edx
                        clc
                        ror edx, 03h
                        cmp esp, 15A3563Ah
                        stc
                        sub edx, 0FC53036h
                        rol edx, 03h
                        test ch, 00000016h
                        xor ebx, edx
                        stc
                        test di, ax
                        add esi, edx
                        jmp esi
                        shl dh, cl
                        sub dl, 0000005Ch
                        pop ebx
                        bsf dx, ax
                        ror dx, cl
                        mov edx, dword ptr [esi]
                        stc
                        add esi, 00000004h
                        jmp 00007FE218E916E2h
                        push edi
                        ret
                        mov ecx, dword ptr [edi]
                        mov eax, dword ptr fs:[ecx]
                        jmp 00007FE218E46FF1h
                        lea ebp, dword ptr [ebp+00FFFFFCh]

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x7dc94c0xb4.vmp1
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x8990000x7ff.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x8987a00x40.vmp1
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x3aa0000x70.vmp1
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x197180x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rdata0x1b0000x6db40x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x220000x30c00x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .vmp00x260000x339b230x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .vmp10x3600000x5388f00x538a00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0x8990000x7ff0x800False0.4208984375data4.92243335919IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_VERSION0x8990a00x2ccdata
                        RT_MANIFEST0x89936c0x493exported SGML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        KERNEL32.dllRaiseException
                        ole32.dllOleInitialize
                        OLEAUT32.dllSafeArrayCreate
                        WTSAPI32.dllWTSSendMessageW
                        KERNEL32.dllVirtualQuery
                        USER32.dllGetProcessWindowStation
                        KERNEL32.dllLocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
                        USER32.dllGetProcessWindowStation, GetUserObjectInformationW

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyright
                        Assembly Version1.0.0.0
                        InternalNameStub.exe
                        FileVersion1.0.0.0
                        CompanyName
                        LegalTrademarks
                        Comments
                        ProductName
                        ProductVersion1.0.0.0
                        FileDescription
                        OriginalFilenameStub.exe

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        09/21/21-17:43:37.774693UDP254DNS SPOOF query response with TTL of 1 min. and no authority53580288.8.8.8192.168.2.4
                        09/21/21-17:43:38.044014TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)579394974592.60.40.226192.168.2.4

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 21, 2021 17:43:37.783833027 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:37.835521936 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:43:37.835654974 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:37.981848001 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:38.044013977 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:43:38.045526981 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:43:38.045625925 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:38.054383039 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:38.107642889 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:43:38.235898018 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:43.606359959 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:43.709821939 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:43:43.710284948 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:43.813640118 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:43:58.362608910 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:58.482152939 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:43:58.482220888 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:58.544460058 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:43:58.626647949 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:58.680430889 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:43:58.783236980 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:58.847569942 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:58.948180914 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:43:58.949428082 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:59.064290047 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:43:59.288661957 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:43:59.392635107 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:43:59.446517944 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:43:59.580151081 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:13.119462967 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:13.228632927 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:13.228938103 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:13.282793999 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:13.333591938 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:13.387341022 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:13.434844971 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:13.566322088 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:13.566750050 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:13.682615995 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:27.872291088 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:27.979274988 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:27.979439974 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:28.031528950 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:28.082590103 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:28.137419939 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:28.181440115 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:28.306880951 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:28.307156086 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:28.412183046 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:29.305567980 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:29.348253012 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:29.401892900 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:29.458832026 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:42.710196018 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:42.822084904 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:42.822264910 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:42.877423048 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:42.927565098 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:42.984357119 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:43.036902905 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:43.085685015 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:43.187710047 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:43.187964916 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:43.301706076 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:57.349817991 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:57.472524881 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:57.473853111 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:57.534503937 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:57.585150003 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:57.638550043 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:57.677834034 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:57.785223961 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:57.785536051 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:57.886219978 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:59.308937073 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:59.350913048 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:44:59.405683041 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:44:59.460303068 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:45:12.040263891 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:45:12.145526886 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:45:12.145723104 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:45:12.199268103 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:45:12.242638111 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:45:12.294711113 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:45:12.295978069 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:45:12.400939941 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:45:12.401061058 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:45:12.505441904 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:45:26.775862932 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:45:26.895234108 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:45:26.895436049 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:45:26.949263096 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:45:26.993834972 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:45:27.047327995 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:45:27.048506975 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:45:27.151345968 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:45:27.151526928 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:45:27.249409914 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:45:29.321365118 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:45:29.369015932 CEST4974557939192.168.2.492.60.40.226
                        Sep 21, 2021 17:45:29.421022892 CEST579394974592.60.40.226192.168.2.4
                        Sep 21, 2021 17:45:29.462888956 CEST4974557939192.168.2.492.60.40.226

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 21, 2021 17:42:49.136686087 CEST5453153192.168.2.48.8.8.8
                        Sep 21, 2021 17:42:49.158184052 CEST53545318.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:20.550456047 CEST4971453192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:20.570127010 CEST53497148.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:37.754338980 CEST5802853192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:37.774693012 CEST53580288.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:40.098799944 CEST5309753192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:40.119360924 CEST53530978.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:47.460087061 CEST4925753192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:47.499886036 CEST53492578.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:48.426054001 CEST6238953192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:48.446026087 CEST53623898.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:48.957386017 CEST4991053192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:49.013205051 CEST53499108.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:49.526931047 CEST5585453192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:49.546771049 CEST53558548.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:49.898333073 CEST6454953192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:49.926708937 CEST53645498.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:50.632074118 CEST6315353192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:50.668484926 CEST53631538.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:51.135983944 CEST5299153192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:51.200826883 CEST53529918.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:51.775197029 CEST5370053192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:51.792900085 CEST53537008.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:52.742096901 CEST5172653192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:52.795233965 CEST53517268.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:53.500258923 CEST5679453192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:53.542237997 CEST53567948.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:54.152259111 CEST5653453192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:54.187470913 CEST53565348.8.8.8192.168.2.4
                        Sep 21, 2021 17:43:56.237308979 CEST5662753192.168.2.48.8.8.8
                        Sep 21, 2021 17:43:56.256380081 CEST53566278.8.8.8192.168.2.4
                        Sep 21, 2021 17:44:00.582186937 CEST5662153192.168.2.48.8.8.8
                        Sep 21, 2021 17:44:00.603811026 CEST53566218.8.8.8192.168.2.4
                        Sep 21, 2021 17:44:38.146846056 CEST6311653192.168.2.48.8.8.8
                        Sep 21, 2021 17:44:38.181586981 CEST53631168.8.8.8192.168.2.4
                        Sep 21, 2021 17:44:39.366028070 CEST6407853192.168.2.48.8.8.8
                        Sep 21, 2021 17:44:39.392321110 CEST53640788.8.8.8192.168.2.4
                        Sep 21, 2021 17:45:11.250339031 CEST6480153192.168.2.48.8.8.8
                        Sep 21, 2021 17:45:11.271048069 CEST53648018.8.8.8192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Sep 21, 2021 17:43:37.754338980 CEST192.168.2.48.8.8.80x6b35Standard query (0)windowssupport1256.myvnc.comA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Sep 21, 2021 17:43:37.774693012 CEST8.8.8.8192.168.2.40x6b35No error (0)windowssupport1256.myvnc.com92.60.40.226A (IP address)IN (0x0001)

                        Code Manipulations

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: Di5RbqBHf7.exe PID: 6848 Parent PID: 5200

                        General

                        Start time:17:42:55
                        Start date:21/09/2021
                        Path:C:\Users\user\Desktop\Di5RbqBHf7.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\Desktop\Di5RbqBHf7.exe'
                        Imagebase:0x400000
                        File size:5477888 bytes
                        MD5 hash:F11C01CF16A698C1B9ED67D298E10FAF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.723000914.0000000005410000.00000004.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.717758426.0000000002EF1000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.668587609.0000000000DD4000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.716855418.0000000002C3C000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.719786206.0000000003EF5000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.723116148.0000000005490000.00000004.00020000.sdmp, Author: Joe Security
                        Reputation:low

                        Chronological Activities

                        Analysis Process: cmd.exe PID: 7028 Parent PID: 6848

                        General

                        Start time:17:43:18
                        Start date:21/09/2021
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'fontexport' /tr ''C:\Users\user\AppData\Local\Temp\fontexport.exe'' & exit
                        Imagebase:0x11d0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: conhost.exe PID: 5532 Parent PID: 7028

                        General

                        Start time:17:43:18
                        Start date:21/09/2021
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff724c50000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: cmd.exe PID: 5564 Parent PID: 6848

                        General

                        Start time:17:43:19
                        Start date:21/09/2021
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpCD69.tmp.bat''
                        Imagebase:0x11d0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: schtasks.exe PID: 5584 Parent PID: 7028

                        General

                        Start time:17:43:19
                        Start date:21/09/2021
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:schtasks /create /f /sc onlogon /rl highest /tn 'fontexport' /tr ''C:\Users\user\AppData\Local\Temp\fontexport.exe''
                        Imagebase:0xd50000
                        File size:185856 bytes
                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: conhost.exe PID: 5304 Parent PID: 5564

                        General

                        Start time:17:43:19
                        Start date:21/09/2021
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff724c50000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: timeout.exe PID: 7076 Parent PID: 5564

                        General

                        Start time:17:43:20
                        Start date:21/09/2021
                        Path:C:\Windows\SysWOW64\timeout.exe
                        Wow64 process (32bit):true
                        Commandline:timeout 3
                        Imagebase:0x160000
                        File size:26112 bytes
                        MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: fontexport.exe PID: 7128 Parent PID: 968

                        General

                        Start time:17:43:21
                        Start date:21/09/2021
                        Path:C:\Users\user\AppData\Local\Temp\fontexport.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Local\Temp\fontexport.exe
                        Imagebase:0x400000
                        File size:5477888 bytes
                        MD5 hash:F11C01CF16A698C1B9ED67D298E10FAF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.760784794.0000000004115000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.756165726.0000000003111000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.756010982.0000000003090000.00000004.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.761044345.0000000005630000.00000004.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000003.727660213.0000000000F5B000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.755269158.0000000002D7C000.00000004.00000001.sdmp, Author: Joe Security
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 32%, Virustotal, Browse
                        • Detection: 56%, ReversingLabs
                        Reputation:low

                        Chronological Activities

                        Analysis Process: fontexport.exe PID: 7160 Parent PID: 5564

                        General

                        Start time:17:43:24
                        Start date:21/09/2021
                        Path:C:\Users\user\AppData\Local\Temp\fontexport.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\AppData\Local\Temp\fontexport.exe'
                        Imagebase:0x400000
                        File size:5477888 bytes
                        MD5 hash:F11C01CF16A698C1B9ED67D298E10FAF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.933463091.0000000003F45000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.933572791.0000000005460000.00000004.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.931691350.0000000002F41000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.932262130.0000000003013000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.933755258.00000000054E0000.00000004.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.729198184.0000000001053000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.931138547.0000000002CCC000.00000004.00000001.sdmp, Author: Joe Security
                        Reputation:low

                        Chronological Activities

                        Disassembly

                        Code Analysis

                        Reset < >

                          Analysis Process: Di5RbqBHf7.exe PID: 6848 Parent PID: 5200 Di5RbqBHf7.exeCOMMON

                          Executed Functions

                          Function 02D4DF78, Relevance: .7, Instructions: 673COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.717428649.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 575c3db97a9d43b0adf29b8f39d81735f19772cbb6fe223c7b172a59f7ff6c95
                          • Instruction ID: 4db47ecfd0e781ecec70e29d38b58826cf7aa518d5ec9e28c91b0cd9a10634ba
                          • Opcode Fuzzy Hash: 575c3db97a9d43b0adf29b8f39d81735f19772cbb6fe223c7b172a59f7ff6c95
                          • Instruction Fuzzy Hash: 87522735A00124AFDB15DFA8C984EA9BBB2FF49314F1685A8E5499B372CB31EC51CF40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D492C8, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02D4933C
                          Memory Dump Source
                          • Source File: 00000000.00000002.717428649.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: ea9dfd43e9939b6344356d192b3b7ec6e22ec8ac4851b715165a9e293d4746e0
                          • Instruction ID: b72350dfb0bd6f8a6f28c96e44442eb72ff3cc861e863a831a67005f0727e0de
                          • Opcode Fuzzy Hash: ea9dfd43e9939b6344356d192b3b7ec6e22ec8ac4851b715165a9e293d4746e0
                          • Instruction Fuzzy Hash: 3311F4B1D002089BCB10DFAAC884BEFFBF5BF48324F54842AD519A7640CB75A945CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02D49498, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE ref: 02D494FA
                          Memory Dump Source
                          • Source File: 00000000.00000002.717428649.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: a57d3dea8777a66ef45dfc07985421fb5fc3ee085c035a72da8b3bd42369a2d9
                          • Instruction ID: 013016e4db1825e15253b22b245ce036dafddfe870e4146fbc3cb01a88da5678
                          • Opcode Fuzzy Hash: a57d3dea8777a66ef45dfc07985421fb5fc3ee085c035a72da8b3bd42369a2d9
                          • Instruction Fuzzy Hash: BF1136B1D002488BCB10DFAAC8447EFFBF9AF88214F10881AD519A7740CB75A945CFA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02ABD5C4, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.716217705.0000000002ABD000.00000040.00000001.sdmp, Offset: 02ABD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 114e5f7be46967d33fee246dd00517cd0278db9ead8ad1659cb31627e119c615
                          • Instruction ID: bc90360357ff25de39e82b4ce683ff1a313c4ba26efc8823a5dd37053b6c7f93
                          • Opcode Fuzzy Hash: 114e5f7be46967d33fee246dd00517cd0278db9ead8ad1659cb31627e119c615
                          • Instruction Fuzzy Hash: A62136B1514640DFDB02CF24C8D0B96BF69FF88318F248569E8090B247CB36D845DAA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02ABD210, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.716217705.0000000002ABD000.00000040.00000001.sdmp, Offset: 02ABD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f78b3ef1ce11d8ac4ec06b35ea73f4ee5eebf304cc3655592e7e958b5ba7b311
                          • Instruction ID: af65118f7270c57fda6ec3aec39b800681306ecc520994362b79303cec9bb8b1
                          • Opcode Fuzzy Hash: f78b3ef1ce11d8ac4ec06b35ea73f4ee5eebf304cc3655592e7e958b5ba7b311
                          • Instruction Fuzzy Hash: B4210375904680DFDB06CF54D9C0BAAFB69FF88324F248569E8054B247CB36D845DAA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02ABD20B, Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.716217705.0000000002ABD000.00000040.00000001.sdmp, Offset: 02ABD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 980e7335bdb557072bec51bd32a0700c116c8a2f2b0941a8b8f6f4cb45067764
                          • Instruction ID: c65594e33ff0ba5d38a6323b89d4ddd31af0fa8aef189b2e2fa393d2bee64f67
                          • Opcode Fuzzy Hash: 980e7335bdb557072bec51bd32a0700c116c8a2f2b0941a8b8f6f4cb45067764
                          • Instruction Fuzzy Hash: 4411B176904680CFCB12CF10D5C4B56FF61FF84324F2886A9D8054B657C336D45ACBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02ABD5BF, Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.716217705.0000000002ABD000.00000040.00000001.sdmp, Offset: 02ABD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 980e7335bdb557072bec51bd32a0700c116c8a2f2b0941a8b8f6f4cb45067764
                          • Instruction ID: d6602ba31240c29ee9f3ace35159cac09ca1d95a53f2625166072cd3b7ccd434
                          • Opcode Fuzzy Hash: 980e7335bdb557072bec51bd32a0700c116c8a2f2b0941a8b8f6f4cb45067764
                          • Instruction Fuzzy Hash: C011AF76404680CFCB16CF10D5D4B56BF62FF84324F2486A9D8494B656C33AD45ACBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02ABD01D, Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.716217705.0000000002ABD000.00000040.00000001.sdmp, Offset: 02ABD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8b37bd2993769f6639dac5526d64f04a252b038939338cf309b5e2f70f77af5a
                          • Instruction ID: 5c08da8dae5ab7629761be7328c0fba36e48c8173a6b8124976ec93e4070c32d
                          • Opcode Fuzzy Hash: 8b37bd2993769f6639dac5526d64f04a252b038939338cf309b5e2f70f77af5a
                          • Instruction Fuzzy Hash: 0801F771408740AAE7118B15DCC4BE7BF9CEF41228F08C41AED065B683CB799905CAB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02ABD007, Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.716217705.0000000002ABD000.00000040.00000001.sdmp, Offset: 02ABD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b0ef1d140a1a87a05a3dfa9711c56726dc97d814bf9b1b03182757d92f0f7d30
                          • Instruction ID: a2c0de44b0b8d366bac10829ac480fdba4c81280ab92b85ab3e2e0325be99e64
                          • Opcode Fuzzy Hash: b0ef1d140a1a87a05a3dfa9711c56726dc97d814bf9b1b03182757d92f0f7d30
                          • Instruction Fuzzy Hash: 2001527140D7C05FD7138B259C947A2BFB8EF43224F1980DBD9859F1A3C2695849C772
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 02D40C30, Relevance: .1, Instructions: 142COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.717428649.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 10183866c882ee3e5031074a35ef936c1d3c5ea6005fdc098733f0258dc0cd32
                          • Instruction ID: 5c2bcf91b1de9141c8394a106076de291f97813bb4de0bbf74027fdb15720eb8
                          • Opcode Fuzzy Hash: 10183866c882ee3e5031074a35ef936c1d3c5ea6005fdc098733f0258dc0cd32
                          • Instruction Fuzzy Hash: F5516C71E442498BE748EF3AE85069ABBB3AFC5204B04CC3AC1159B368FB755D198B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Analysis Process: fontexport.exe PID: 7128 Parent PID: 968 fontexport.exeCOMMON

                          Executed Functions

                          Function 02EF92C8, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02EF933C
                          Memory Dump Source
                          • Source File: 0000000A.00000002.755542888.0000000002EF0000.00000040.00000001.sdmp, Offset: 02EF0000, based on PE: false
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 2c98719f467b978505b393fb978718356da7346a3b821cab482fe4a09aa6f9c7
                          • Instruction ID: 5658317e37612c22340e8f21b0660cedc4f29b64c0a6cd41ff6ba8c511c9985b
                          • Opcode Fuzzy Hash: 2c98719f467b978505b393fb978718356da7346a3b821cab482fe4a09aa6f9c7
                          • Instruction Fuzzy Hash: 4F11F2B1D002099BDB10DFAAC884BEEFBF5BF48314F14842AD529A7240C775A945CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02EF9498, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE ref: 02EF94FA
                          Memory Dump Source
                          • Source File: 0000000A.00000002.755542888.0000000002EF0000.00000040.00000001.sdmp, Offset: 02EF0000, based on PE: false
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: b321a0b36a5a943f83cfdd1e08899f34c97b6fe0b8a6fae8a8012b081b925eaa
                          • Instruction ID: 2ad6a688c06d713119d648be1fc10905b2e6ee57e4a43eac1c6183b7e0afe9ee
                          • Opcode Fuzzy Hash: b321a0b36a5a943f83cfdd1e08899f34c97b6fe0b8a6fae8a8012b081b925eaa
                          • Instruction Fuzzy Hash: BD1136B1D002488BDB10DFAAD8847EFFBF5AF88318F10881AD519A7640CB75A945CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0C52, Relevance: .2, Instructions: 155COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ec64cbe1ec0ad2dc4a77b069e11beec75e6e14d1232a115c8b46752ea41db139
                          • Instruction ID: 0ee7cc31ec628cce3361f16224351edb3650bcdd859cd86259df59869ffc6f5e
                          • Opcode Fuzzy Hash: ec64cbe1ec0ad2dc4a77b069e11beec75e6e14d1232a115c8b46752ea41db139
                          • Instruction Fuzzy Hash: 9C51E231F001988FDB54DFA4C4447AFBBB6FB89710F14806ADA06A7786CB386D458BD6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0580, Relevance: .1, Instructions: 121COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8131f1795c288873852d48d79eec750ca16b3557dd355e16cd261a0002d17a67
                          • Instruction ID: 9cbcaec8d0a8b8cdf75c28de29ca026ac99022ab6c047ae7014920438cd85475
                          • Opcode Fuzzy Hash: 8131f1795c288873852d48d79eec750ca16b3557dd355e16cd261a0002d17a67
                          • Instruction Fuzzy Hash: 9D41B631F000989FD754AFB8D4146AFB7A7EBCA740F158479CA0697785DF38AC098B92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F15C0, Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c2185454039a5d704423260aeddb0f97a2a302a7252f9b2cb4da76fb705b7fd8
                          • Instruction ID: fe92973e53ce6b0587348a8d711f0576d03a17f767c04195ad1ecbe827ae5d24
                          • Opcode Fuzzy Hash: c2185454039a5d704423260aeddb0f97a2a302a7252f9b2cb4da76fb705b7fd8
                          • Instruction Fuzzy Hash: C731E435B01118CFCB48EB39E4105AEB7E7EB89B00B0C8069DE06A7744DF369C42CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02CFD5C4, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.755090834.0000000002CFD000.00000040.00000001.sdmp, Offset: 02CFD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f36a29ddd3444839c1d679fb44efb1f9c6c52cb4be40048214245d701bf9c446
                          • Instruction ID: 9b5d521b656df0a0f48452c15cb66096b9fb40b066f2ece301a4364212c66679
                          • Opcode Fuzzy Hash: f36a29ddd3444839c1d679fb44efb1f9c6c52cb4be40048214245d701bf9c446
                          • Instruction Fuzzy Hash: 5A2125B1504240DFDB85CF14D9C0B2ABF65FB88318F24C969EA0A0B246C336D846DBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02CFD4D8, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.755090834.0000000002CFD000.00000040.00000001.sdmp, Offset: 02CFD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b481e514be30def539258b4a005d30e8ef90fed363b76d1754ba6f10ae22bb1
                          • Instruction ID: 66ad291ce2cb0bcf23ff5835d48decd4f0edca1d9a8018e1e5bcfdc71904c24e
                          • Opcode Fuzzy Hash: 2b481e514be30def539258b4a005d30e8ef90fed363b76d1754ba6f10ae22bb1
                          • Instruction Fuzzy Hash: 122167B1504340DFDB85CF44C9C4B27BF65FB88328F208569EA070B246C33AD946CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02CFD5BF, Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.755090834.0000000002CFD000.00000040.00000001.sdmp, Offset: 02CFD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 980e7335bdb557072bec51bd32a0700c116c8a2f2b0941a8b8f6f4cb45067764
                          • Instruction ID: fbb4acf528c9e0202eaada5639d2629ff5ad5e868e3e634b8eb2ddc081b95fe0
                          • Opcode Fuzzy Hash: 980e7335bdb557072bec51bd32a0700c116c8a2f2b0941a8b8f6f4cb45067764
                          • Instruction Fuzzy Hash: BE11D076404280CFCF56CF10D9C4B16BF72FB84324F24CAA9D9490B656C33AD55ACBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02CFD4D3, Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.755090834.0000000002CFD000.00000040.00000001.sdmp, Offset: 02CFD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 980e7335bdb557072bec51bd32a0700c116c8a2f2b0941a8b8f6f4cb45067764
                          • Instruction ID: 7269ce563a322ee5cb3ef5d5783d24f9ef7e6036cc8876a9e059e48f66debb2c
                          • Opcode Fuzzy Hash: 980e7335bdb557072bec51bd32a0700c116c8a2f2b0941a8b8f6f4cb45067764
                          • Instruction Fuzzy Hash: 6911D3B6404280CFCB55CF10D5C4B16BF71FB84324F2486A9D9060B256C33AD55ACBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02CFD005, Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.755090834.0000000002CFD000.00000040.00000001.sdmp, Offset: 02CFD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 29337766e2440f36253e229bbc053e10e79db7069b3a8dc99234c86a7012d62f
                          • Instruction ID: ad73ee96c781ed74b2a35004f5111ec768683011821d78cff1531a336ab70d76
                          • Opcode Fuzzy Hash: 29337766e2440f36253e229bbc053e10e79db7069b3a8dc99234c86a7012d62f
                          • Instruction Fuzzy Hash: 8701527140D3C09FD7528B258C94762BFB4EF43224F1D81DBD9858F1A3C2699949C7B2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02CFD01D, Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.755090834.0000000002CFD000.00000040.00000001.sdmp, Offset: 02CFD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 99114c0842d45747342c86268f7d9a06ddf096f4a37dd2baeacfb2b8b1820043
                          • Instruction ID: 53310eb298c734fce6aa90f926167de722cbfcf69df41273cad403a4186ff1e7
                          • Opcode Fuzzy Hash: 99114c0842d45747342c86268f7d9a06ddf096f4a37dd2baeacfb2b8b1820043
                          • Instruction Fuzzy Hash: FC012B71408344AEE7A04E15DCC4B67BF98EF82328F18C45AFE065B682C7799945C6F1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0A4C, Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7b0f5f59b2d99acac1fc69997987cd7e6b54a4bad7f9e230796a29d8b51acd7a
                          • Instruction ID: 2f0b1d2c1243547ecdda0a2ef2b836a84927e2c12a3e01d90f884455edf3b254
                          • Opcode Fuzzy Hash: 7b0f5f59b2d99acac1fc69997987cd7e6b54a4bad7f9e230796a29d8b51acd7a
                          • Instruction Fuzzy Hash: DBF02BA380D2C8AFC713C7B49C524E97FB1CD4321074985DBE181DF1A3E9295E09DB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F080C, Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 867e2fa13f2c20543afd61da343b2488649fb967f05854024b9570be3c17a4b9
                          • Instruction ID: f1ba584550ee582388f47652b1da767390e1cbf32fa7a230a5c03872eabd9a1e
                          • Opcode Fuzzy Hash: 867e2fa13f2c20543afd61da343b2488649fb967f05854024b9570be3c17a4b9
                          • Instruction Fuzzy Hash: B7F024A3C0E2C49FC722C7B48C210A97FB0DE1310074980DBE185CB1A3E4255A0ADF52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0A11, Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f417227b47df66e138db6ca11de2f39e3f02809ce8e16b6e2d735fb6bb756a8
                          • Instruction ID: 0c79cba920fe2db4c078c8c08c83271e1328387d2fef4050a56e7c375da7ea98
                          • Opcode Fuzzy Hash: 2f417227b47df66e138db6ca11de2f39e3f02809ce8e16b6e2d735fb6bb756a8
                          • Instruction Fuzzy Hash: A7E0D8B2808148EFC712DBB09C018EE7FB5CE8221071145E6E100DB111D9340B05CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F1990, Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 05435ef91095542c5196471cca1b4dfd4f016fb4ce93ebc6d98f1560ae62ff30
                          • Instruction ID: 9707e3381456711ebea9747adc531cecb6b32e378cd158d5c84fe6ddfbbfbf08
                          • Opcode Fuzzy Hash: 05435ef91095542c5196471cca1b4dfd4f016fb4ce93ebc6d98f1560ae62ff30
                          • Instruction Fuzzy Hash: FEE01236601218AFD705DE94DD429F57F66DF95260348C44BFC148B315C936DE12C780
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0440, Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e3de353e13e3bd76deca7ca26513e0c6e93159fd8e307a0ff5aef5261b1db68
                          • Instruction ID: 77199f2e49826975a0a94658c110d1b682c84c6a199d6dcd7e7e4ad5ce3c6b61
                          • Opcode Fuzzy Hash: 2e3de353e13e3bd76deca7ca26513e0c6e93159fd8e307a0ff5aef5261b1db68
                          • Instruction Fuzzy Hash: BFE086B2C042489FDB11DBB1D8518DD7FB29F07204B1145DBE641DB166DE310E159F91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0140, Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 69f41ddf73817a6e45860e58dd779edd0569779b1355583f38f38df6fbecfa50
                          • Instruction ID: 5ebeaa50312136cb4843acb3292d3068586c9f969d6a13cf4faad6e61f773638
                          • Opcode Fuzzy Hash: 69f41ddf73817a6e45860e58dd779edd0569779b1355583f38f38df6fbecfa50
                          • Instruction Fuzzy Hash: D1E012362482905FC311C768DC91DE57FB5EF9622431884AAE489CB353D522ED17CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F07D0, Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8b3505645e72b4d5763d4622c21e68669f7dab6d2b79857ab0bfb4ca8ceeba0e
                          • Instruction ID: 8426a4ead15215bf21007f8221880ab94dbda661e7e8d103d4a6fb490787652a
                          • Opcode Fuzzy Hash: 8b3505645e72b4d5763d4622c21e68669f7dab6d2b79857ab0bfb4ca8ceeba0e
                          • Instruction Fuzzy Hash: ADE08671C1A2889EC712DBB19C104DD7FB5CE02114B1540E6A548D7123D9310A159F92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0990, Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fea067a5435bc798d7727a346f416e2df2f5ab189973eb0acaa434b06c6a8c75
                          • Instruction ID: 46967ca3e6a115611f030a228dafd293ec1fa432c232287b650143ed6f6f8139
                          • Opcode Fuzzy Hash: fea067a5435bc798d7727a346f416e2df2f5ab189973eb0acaa434b06c6a8c75
                          • Instruction Fuzzy Hash: E8D0C9320482545FC312C7E4ECD28E57B64DE56124318819AE448CB212E657EB17CB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0481, Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b010d8a107a2acebff77afd7a521cbb3bb5be480975fbc561f87241341b08baa
                          • Instruction ID: 7827d4e7099b16360de19b4b64dcc9327b5a6ab0afee779c67299b2009fdb673
                          • Opcode Fuzzy Hash: b010d8a107a2acebff77afd7a521cbb3bb5be480975fbc561f87241341b08baa
                          • Instruction Fuzzy Hash: 0ED0C73610C1504FD357C794E4929D47BF1DE8522431845DEE449CB253CA27A617CA44
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F19A0, Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 01121f2c778aaa955698064ff843d2996bee34fc2f5530b77e7ea5e79a423cb0
                          • Instruction ID: 1b0a6f6d896694a697788613f5e5355b62e48349d74697ae87246d03dd23ea49
                          • Opcode Fuzzy Hash: 01121f2c778aaa955698064ff843d2996bee34fc2f5530b77e7ea5e79a423cb0
                          • Instruction Fuzzy Hash: 05D0C936200118BF9B04DE88DC41CAABB6EEB89660714C05FFD1887311CAB3ED22DBD0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F07E0, Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dd4b7f7e5eb486a741532dcd338013288e91bcc7ba4256e1c9aa3ccd05950eeb
                          • Instruction ID: b12b7b8562c50b4aa2dba1de18162969a76bafd15ca6b3ad40be763d2cbccc67
                          • Opcode Fuzzy Hash: dd4b7f7e5eb486a741532dcd338013288e91bcc7ba4256e1c9aa3ccd05950eeb
                          • Instruction Fuzzy Hash: 97D0A7B2C0020CAB8B00EFF1C80048EBBFADB02204F1140A6A70497210ED315F005FC1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0A20, Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b8008338961888b80046424a18d7a466c13fdba548598b76c530555f6dee36f9
                          • Instruction ID: 04f27c25f078cccb37e33adb4e48adb1b3140441f8f507d1a9ec5b1aa07346f2
                          • Opcode Fuzzy Hash: b8008338961888b80046424a18d7a466c13fdba548598b76c530555f6dee36f9
                          • Instruction Fuzzy Hash: 31D0A9B2C0020CAB8B00EFF5C8008CEBBBADB02204B1184B6AB049B220EE315F009BC1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0450, Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2389f84d9e14087eacaf64288f9e89d1b1a8a65dc09d649443e84f951b959143
                          • Instruction ID: 692d7c86aca31e9c9156a71e575ebd3afc7490e173ede0404ce1c8aed43ebe8b
                          • Opcode Fuzzy Hash: 2389f84d9e14087eacaf64288f9e89d1b1a8a65dc09d649443e84f951b959143
                          • Instruction Fuzzy Hash: F1D0A7B2C4020CAB9B00EFF1D80048EBBBADB06204B0140A6A70497220EE314F005BC1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F1760, Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a7f1aa35d0ee75f8473833ad2eff3228f8a4fae729de86c6f7c38a3540f0f936
                          • Instruction ID: 348a0ef217a9546f4258292ca8010dcd4e2a7f98715cf9f4b625156c7415fff7
                          • Opcode Fuzzy Hash: a7f1aa35d0ee75f8473833ad2eff3228f8a4fae729de86c6f7c38a3540f0f936
                          • Instruction Fuzzy Hash: B5D012762492909FD302CF54FC919A57BB1DE4621430C84DAD00CCB362CB27E516CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F07B1, Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f8c5ad2b83249ba9deb815b7b5664a3a0e39bbafdaf326965e818b6bd3f1c8a
                          • Instruction ID: 5ca885a7942b50b75f588e517a792637bc320554794edc7e0e770a7ea869d219
                          • Opcode Fuzzy Hash: 3f8c5ad2b83249ba9deb815b7b5664a3a0e39bbafdaf326965e818b6bd3f1c8a
                          • Instruction Fuzzy Hash: 48D0C93210D1904FC352C7E4D892894BF719E5621431841DAD449CB653D617990BCB41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F15A2, Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f7fcd3bbad4b3810ec4b977b1a8fe975070926ce1a9321376f35e8260dc9b07d
                          • Instruction ID: ff0b079b5aba01b6174d8002ab911123d4081bf422e6f6148cbc036c4de1bea2
                          • Opcode Fuzzy Hash: f7fcd3bbad4b3810ec4b977b1a8fe975070926ce1a9321376f35e8260dc9b07d
                          • Instruction Fuzzy Hash: 86C08C3181A2888FC7128B70D8971E93FB0EE5310234C06C6D88787603CA25512B8B01
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0150, Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                          • Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
                          • Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                          • Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0540, Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 74cd0fa86d8bf6c2b6df6242a5a48575cbdff29ad0316d4757f43c39158c4311
                          • Instruction ID: ce71667455a22d441d1e5d3dcb78aea6708da7057be433e1248ea71228f47326
                          • Opcode Fuzzy Hash: 74cd0fa86d8bf6c2b6df6242a5a48575cbdff29ad0316d4757f43c39158c4311
                          • Instruction Fuzzy Hash: 4AC08C6180A7C42FCB13023014520C4BF30882310071681C3DCC98A1138111091ACB02
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F1770, Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                          • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                          • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                          • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0C30, Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9ae960bb38143456d71b96d44f96bb543a3cef2b113b07ab0dd9dab203a49c6f
                          • Instruction ID: f1e10ad638fafefd94de1c81d289e7a29d5253f343aabe7f9747e70546e91adf
                          • Opcode Fuzzy Hash: 9ae960bb38143456d71b96d44f96bb543a3cef2b113b07ab0dd9dab203a49c6f
                          • Instruction Fuzzy Hash: FDC08C2884D3C84FCF230B7028E84D8BF318D0B02031A00C2C8C481823C416542ACF21
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0490, Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                          • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                          • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                          • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F09A0, Relevance: .0, Instructions: 7COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                          • Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
                          • Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                          • Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F07C0, Relevance: .0, Instructions: 7COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                          • Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
                          • Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                          • Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0550, Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d9708f51c24efe8db8245e9a6d9368b1f56745d420d50f42ee6581ddd34df83e
                          • Instruction ID: 404374259dc0ca20d68ccfd6fb44bc179b24811205affd368ada46428191e120
                          • Opcode Fuzzy Hash: d9708f51c24efe8db8245e9a6d9368b1f56745d420d50f42ee6581ddd34df83e
                          • Instruction Fuzzy Hash: 8790223008020C8B080023803808080F30C80080003808020A00C000020A2030280080
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F15B0, Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 30ac13d2c6e73bb5850833957d8ec3e028b7ef1dc409cd357a1364de75e8cfd2
                          • Instruction ID: b9a0cce820a4becf4f93bf681cf3431c14b3136384b22238c6fd9595a4833df1
                          • Opcode Fuzzy Hash: 30ac13d2c6e73bb5850833957d8ec3e028b7ef1dc409cd357a1364de75e8cfd2
                          • Instruction Fuzzy Hash: 3190023148464C8B465027957819595B75CF6455567C50851A50E415019E5564244595
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030F0C40, Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.756113794.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c3a7214367beeccbf4aa24fb6fd9dc3d1c16766310c7c4804281b94bcb1c71d
                          • Instruction ID: 052d09e9e34c6c96f3856bd56c08f228c13b80c28323252630377a79b90c4cf4
                          • Opcode Fuzzy Hash: 3c3a7214367beeccbf4aa24fb6fd9dc3d1c16766310c7c4804281b94bcb1c71d
                          • Instruction Fuzzy Hash: 9C90223008020C8B000023803008088B30C800C0323800000E00C020000A22B02000A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Analysis Process: fontexport.exe PID: 7160 Parent PID: 5564 fontexport.exeCOMMON

                          Executed Functions

                          Function 06782211, Relevance: 1.8, Strings: 1, Instructions: 572COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID: g
                          • API String ID: 0-30677878
                          • Opcode ID: 22180e5fbe50a290f6df19553064169135beb0ff29cb68749b9ef2c1bd9b6c09
                          • Instruction ID: 5bedca7a326cf2d1f2f310a4733177703a40bf87466e58c6061744c84939026d
                          • Opcode Fuzzy Hash: 22180e5fbe50a290f6df19553064169135beb0ff29cb68749b9ef2c1bd9b6c09
                          • Instruction Fuzzy Hash: AD120631F442148FDB98AB78845027EB6A7BFC9311B16896AD426EB346DF30CD02C7D2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06780818, Relevance: .3, Instructions: 342COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c37991aff5146427ba7dd21288c045c19fdd97f6c586dc920ffe035560c5f77
                          • Instruction ID: 894f95cbbb363bb489adb0da98b8bada3678e5f5eecece7c06136764e3774e29
                          • Opcode Fuzzy Hash: 7c37991aff5146427ba7dd21288c045c19fdd97f6c586dc920ffe035560c5f77
                          • Instruction Fuzzy Hash: 62D16B71E00209CFCB54DFA8C484AAEFBF6FF88314F14855AE915AB251DB34AD46CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0552C10C, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?), ref: 0552C1E2
                          Memory Dump Source
                          • Source File: 0000000B.00000002.933797738.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 92270fa0bf5622e2bbd7053a3c97294e29c7584e302446cc65989de0895928ef
                          • Instruction ID: 5870e9dc0d476a927ee74cb6f1c597fe85ac44a07ee3ca8d13b6d2c5b6748e32
                          • Opcode Fuzzy Hash: 92270fa0bf5622e2bbd7053a3c97294e29c7584e302446cc65989de0895928ef
                          • Instruction Fuzzy Hash: CA3153B1E00629AFDB14CFA9C8897ADBBF1BF09304F10852AE815E7381DB749845CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05528B0C, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?), ref: 0552C1E2
                          Memory Dump Source
                          • Source File: 0000000B.00000002.933797738.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 76d5a19d62b485684c467a8650337059983a8bd41876cb065e4ea92fa4c99aac
                          • Instruction ID: 5b663cc421742922d061af908fa8e8cf207240de10afef2913258c2a071b1f23
                          • Opcode Fuzzy Hash: 76d5a19d62b485684c467a8650337059983a8bd41876cb065e4ea92fa4c99aac
                          • Instruction Fuzzy Hash: DA3123B0D04669AFDB14CFA9C8857AEBBF1BF0A314F108529E815A7381DB749845CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02A292C8, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02A2933C
                          Memory Dump Source
                          • Source File: 0000000B.00000002.930899349.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: f373c314d885a8ae744610cfd2ccdfbee03f2222e595c2608383dd70c518e9f2
                          • Instruction ID: 0d473e6eb1fa429c4ec22b76e2315cbe17953eb8ab0d6c41573943d9ec4b54aa
                          • Opcode Fuzzy Hash: f373c314d885a8ae744610cfd2ccdfbee03f2222e595c2608383dd70c518e9f2
                          • Instruction Fuzzy Hash: 8A11F4B1D002099BDB10DFAAC884BEFFBF5BF48314F14882AD529A7240CB759945CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05522F88, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • RtlSetProcessIsCritical.NTDLL(00000001,00000000,?), ref: 05522FF5
                          Memory Dump Source
                          • Source File: 0000000B.00000002.933797738.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: false
                          Similarity
                          • API ID: CriticalProcess
                          • String ID:
                          • API String ID: 2695349919-0
                          • Opcode ID: dd7e6ee76fa974048522351cb65597a8103611302c2a3c99999a44ab6daf6789
                          • Instruction ID: 8d4bacfe22fefc0196313cfb677ec7ecc3da03744f64ad85ec8b121722293e64
                          • Opcode Fuzzy Hash: dd7e6ee76fa974048522351cb65597a8103611302c2a3c99999a44ab6daf6789
                          • Instruction Fuzzy Hash: B71143B5904249DFCB20CF9AC888BDEBBF4FB89314F118419E918A7240D374AA44CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02A29498, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE ref: 02A294FA
                          Memory Dump Source
                          • Source File: 0000000B.00000002.930899349.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: 5b1c00757a0dc3cde9e9a4d68d71c1e1c6ab348fcb93fa8aa7e24e1a8588c129
                          • Instruction ID: c6870b57b7c84f4e6ea6fe0152366a5fdfec8cb188365bdf02ba75493ddb7866
                          • Opcode Fuzzy Hash: 5b1c00757a0dc3cde9e9a4d68d71c1e1c6ab348fcb93fa8aa7e24e1a8588c129
                          • Instruction Fuzzy Hash: DA113AB1D003498BCB10DFAAC4447EFFBF5AF88218F108819D519B7640CB75A944CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05522980, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          • RtlSetProcessIsCritical.NTDLL(00000001,00000000,?), ref: 05522FF5
                          Memory Dump Source
                          • Source File: 0000000B.00000002.933797738.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: false
                          Similarity
                          • API ID: CriticalProcess
                          • String ID:
                          • API String ID: 2695349919-0
                          • Opcode ID: c24f8941068ff516f461db3e4bc673d81935eff063523ccef2f9cc56cf8bd6c9
                          • Instruction ID: d87d98f546cf94f4a40d6261024f6146f42a2ed9ab3495ec3bafb82ec61d8594
                          • Opcode Fuzzy Hash: c24f8941068ff516f461db3e4bc673d81935eff063523ccef2f9cc56cf8bd6c9
                          • Instruction Fuzzy Hash: 501125B59046589FCB20CF99C884BEEFBF4FB49314F108419E519A7240D774A944CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067887B8, Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID: k+
                          • API String ID: 0-3464814512
                          • Opcode ID: fbe2804176c1900920a6ff591837a8ae05d4a329463d37e77cebfe43ff609c81
                          • Instruction ID: 33abe4e54a4cea7e8420514e3ca0954b5def6a1d1f7a2c024af14ed9bb29aeda
                          • Opcode Fuzzy Hash: fbe2804176c1900920a6ff591837a8ae05d4a329463d37e77cebfe43ff609c81
                          • Instruction Fuzzy Hash: FFF0A7307402544FD790ABBC845075F7AE29F84318F54893D9A26DBB48DF749D05CBD5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0678776F, Relevance: .2, Instructions: 248COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2ff77ed024835d80f9d40169d6a908c17ae0f8e1ca06a4eeaab48d7b14df7a8a
                          • Instruction ID: f86f7c3f2f33c4ad0dfab8d104c29f7102a1ecfae03c21084a1fcb772fcebfa1
                          • Opcode Fuzzy Hash: 2ff77ed024835d80f9d40169d6a908c17ae0f8e1ca06a4eeaab48d7b14df7a8a
                          • Instruction Fuzzy Hash: 3191A231F84125CFE799BBA4C85476F7662AB80310F298075DD17AB284EF399D41CBE2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067882D0, Relevance: .2, Instructions: 226COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c4de3574949c44bab1187dc0b9e51ccb8e0c7783f3b87e6e08b7fa527756358f
                          • Instruction ID: 3715f4af4faa3875f8d5f7cc48dcaf25fbe7af4140b4297ebfad757b3efdf196
                          • Opcode Fuzzy Hash: c4de3574949c44bab1187dc0b9e51ccb8e0c7783f3b87e6e08b7fa527756358f
                          • Instruction Fuzzy Hash: 1061A131FC02259EEBD477B5880873F21956F81211FD988759E2AAB584EF24EC01C7E3
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06785610, Relevance: .2, Instructions: 215COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 35685c5c42699f9d2ccd1304320c8b3b5b98d9c9332836c3307c707e6468e29d
                          • Instruction ID: 28a6a2255aa0336b6ffcc9f9a36d9a03f62a421e746f0c920684cda99d8fa8d6
                          • Opcode Fuzzy Hash: 35685c5c42699f9d2ccd1304320c8b3b5b98d9c9332836c3307c707e6468e29d
                          • Instruction Fuzzy Hash: 4E819375E84224CFFBD0BB64D55876EB7B2AB84720F188466D906A7384EF349C41CBD2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06780040, Relevance: .2, Instructions: 200COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f04ee2849c4d17cbce4d243b5ffaae4e17bf33246b3088658367d2b8660402ec
                          • Instruction ID: 12e4971144e1851238516bfb96f1612537967642bb4f45b90af3c169ff6d3eab
                          • Opcode Fuzzy Hash: f04ee2849c4d17cbce4d243b5ffaae4e17bf33246b3088658367d2b8660402ec
                          • Instruction Fuzzy Hash: 9E717431E10214CFCB55EBA8D8549ADBBF2FF89324F14846AD409AB361DB35ED45CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06786608, Relevance: .2, Instructions: 183COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c9f461a441dfc6caaa51e1def0405b6af363fa510431cef7d8c6855721295b5f
                          • Instruction ID: 2bd47c4a677fb3fd759a52b73936bd29012036c62790f0135b210eb3d712fea6
                          • Opcode Fuzzy Hash: c9f461a441dfc6caaa51e1def0405b6af363fa510431cef7d8c6855721295b5f
                          • Instruction Fuzzy Hash: CB519F31F58151EFEBA07B64D14833EBAA3AF85211F098469CD4A9B384EB349C05D7A3
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067865F8, Relevance: .2, Instructions: 182COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 59a0a0bcb2a475b7308d670c496c3adb34bbbcf3d19ecabbfecbb4aa502cda67
                          • Instruction ID: 60801b99a60bed140ea766c533bcbdb3cf485a534c0f03c3f0792e1748d3a6e2
                          • Opcode Fuzzy Hash: 59a0a0bcb2a475b7308d670c496c3adb34bbbcf3d19ecabbfecbb4aa502cda67
                          • Instruction Fuzzy Hash: 8A51B131F98151DFEBA17B54D14833D7BA3AF85211F19846AC84A9B344EB349C05D7A3
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0678586C, Relevance: .2, Instructions: 162COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fd4e222c76c873c657f7c4aa2e038f9b903546d33df84c7b53ee7b760b669af4
                          • Instruction ID: c20eb9419f295925c8db450adac08b5d992c99bdaf7570052463d79b50bf1c35
                          • Opcode Fuzzy Hash: fd4e222c76c873c657f7c4aa2e038f9b903546d33df84c7b53ee7b760b669af4
                          • Instruction Fuzzy Hash: BA518175E84228CFFBD0BB54D55876E77B2BB44320F188066D906A7284EF349C41CBD2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067883F0, Relevance: .2, Instructions: 160COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f515db78e81a62f8958104952e64b4921e3678d36f73e8275b09e0db32e2f365
                          • Instruction ID: 9ce9b3774a15d2f7ce3c6b9e1936de1c9802f0a96c99a0dd7ed23353b407937e
                          • Opcode Fuzzy Hash: f515db78e81a62f8958104952e64b4921e3678d36f73e8275b09e0db32e2f365
                          • Instruction Fuzzy Hash: 55417235FC02269EEBD477B58D0873F21956F81211FC584759E1AAB984EF249C01CBE3
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06788321, Relevance: .2, Instructions: 159COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f790db8d617252c37b9e7939922da35feae8368b4d33841adf5466488a49e78c
                          • Instruction ID: fd204963aab54e68c8416e9b682646a8ae6f7283bbbd55df9bc48700f45dc4d9
                          • Opcode Fuzzy Hash: f790db8d617252c37b9e7939922da35feae8368b4d33841adf5466488a49e78c
                          • Instruction Fuzzy Hash: EA417235FC02259EEBD477B58D0873F21A56F81211FC984759E1AAB984EF24AC01CBE3
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06781348, Relevance: .1, Instructions: 143COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fbf32823d84c1fc7819e20a16b8db25ffddbb661305c895e35ebb59b0e624bcd
                          • Instruction ID: 7c0db8b5c39cda8c7522003516f01eb92b3af338e8924e44acad6dd2ee57fac6
                          • Opcode Fuzzy Hash: fbf32823d84c1fc7819e20a16b8db25ffddbb661305c895e35ebb59b0e624bcd
                          • Instruction Fuzzy Hash: 4241E2757002059FCB55AB78D850A6FB7ABEBC5214B50886AE509CB780DF719C06CBE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06786417, Relevance: .1, Instructions: 126COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cde10116a80e07af5d1d1f450d9f8ce5b92a43e48ea59e1506a8d4dc00453775
                          • Instruction ID: a47b9b9896eb8ea57555b8a710f69b7a149fac8bf460f3f5363a7539094cb1b9
                          • Opcode Fuzzy Hash: cde10116a80e07af5d1d1f450d9f8ce5b92a43e48ea59e1506a8d4dc00453775
                          • Instruction Fuzzy Hash: 5441F631E90228EFEF40B7B5D4547AEB376ABC4220F05C03AC91AA7285EA30DD41CBD1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06786430, Relevance: .1, Instructions: 120COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4e5c4a47c070471e313c2d529ab7c5be3f9adf97e26aaf1837a5c985f55c197
                          • Instruction ID: d1214bcb1362b818fef8235340a795e0b59fddb5153d14a77870b2891d3944cc
                          • Opcode Fuzzy Hash: a4e5c4a47c070471e313c2d529ab7c5be3f9adf97e26aaf1837a5c985f55c197
                          • Instruction Fuzzy Hash: 20419635F90229EFEF50B7A5D4547AEB376ABC4320F14C139C915A7285EA309D40CBD1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06780007, Relevance: .1, Instructions: 114COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 88c7b5f094beed7f92ba0c074a301fbd9a02dab999400fe79c0a0da1fd02221d
                          • Instruction ID: fb4f66f90f9fe66ee0d01643de471334634d15bd0194bf02953394b4d3a54da4
                          • Opcode Fuzzy Hash: 88c7b5f094beed7f92ba0c074a301fbd9a02dab999400fe79c0a0da1fd02221d
                          • Instruction Fuzzy Hash: 45412432E553448FDB51DB64C8045EDBFF2AF85324F0980AAD405EB262DB359C49CBB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0678918F, Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9fa4b6182756931651052fed25fc45a80e183865d373dbffa1de30bdf3356fb5
                          • Instruction ID: 895e6d00a91675fb046b5b128180e03ac19ed56be3ed81768cec05fb9f062ab8
                          • Opcode Fuzzy Hash: 9fa4b6182756931651052fed25fc45a80e183865d373dbffa1de30bdf3356fb5
                          • Instruction Fuzzy Hash: 0E310D35E84124CFDF90B7ACD8587BE7366AB85220F148075DF16B7281DA749C01C7E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06784340, Relevance: .1, Instructions: 102COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d2dd19bdee429ba8fdd5129a78616920925ae1ea52899fea40b28880e7f783b1
                          • Instruction ID: 57da87f26097ee601ae3a2dc1cec6205d5ff65ceba7bd98bc12b82ac821c1d17
                          • Opcode Fuzzy Hash: d2dd19bdee429ba8fdd5129a78616920925ae1ea52899fea40b28880e7f783b1
                          • Instruction Fuzzy Hash: 6A31AE797001254F8B84BF78E460D6E32E7EBC96587008569D60ACB7A8EF30DD09CBD2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067818E0, Relevance: .1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 42aeaff0bfd902e7354cca603187620509a748d7fa2e4a6fab9d0f0a412758a3
                          • Instruction ID: 0fad627a08ef3f585fcc462718baf4807a270013025d63c1a02104bdf5ea760e
                          • Opcode Fuzzy Hash: 42aeaff0bfd902e7354cca603187620509a748d7fa2e4a6fab9d0f0a412758a3
                          • Instruction Fuzzy Hash: 8B21C772E4060A9FD781EAA8C9506FFB7FAEBC4310F548126D555E7245EB309E02CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06785233, Relevance: .1, Instructions: 80COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 24e3703de38afe35e2ab5f068eadea07cb49218749445c22027ed429b90cd456
                          • Instruction ID: 22ccc04123a24d7627d9c9e9ccb157ab7cf0e4a900c45582e44eb27ee8116ae9
                          • Opcode Fuzzy Hash: 24e3703de38afe35e2ab5f068eadea07cb49218749445c22027ed429b90cd456
                          • Instruction Fuzzy Hash: C311DF76F842198EFFD0F7B198452BF73A2AB84355F584135D906E7248EF289C02C6D2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06784328, Relevance: .1, Instructions: 79COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 116073de745794876054bb45c20c1b0420c7f2b5edb6aa9fc9331f62c5eb57ca
                          • Instruction ID: 28c74aabddd6827dbf66837e8e0e824e96af1bc372c969f7c7d91e408a316217
                          • Opcode Fuzzy Hash: 116073de745794876054bb45c20c1b0420c7f2b5edb6aa9fc9331f62c5eb57ca
                          • Instruction Fuzzy Hash: 0D210639B042654FD785BB74E42096F37A7DBC6244B0085AAD505DB799DF308C09CBD2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06781410, Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 340039d93f8ade692d397226112f4bc461cc912a99fa04adceb1c162b5c1e7d9
                          • Instruction ID: 7709cc4d1433fbda32604c6e85ab833a47e1cb8116660adc9650cc8e47642d6d
                          • Opcode Fuzzy Hash: 340039d93f8ade692d397226112f4bc461cc912a99fa04adceb1c162b5c1e7d9
                          • Instruction Fuzzy Hash: EB21F372B012115F8B94B7B8981056FB7EBEBC5164750896AD01ACB380DF719C06CBE2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 029AD4D8, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.930668274.00000000029AD000.00000040.00000001.sdmp, Offset: 029AD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8c9728fef255addef2df9581d6bfa3565fcbda350e8c0cc3f5032e9636e64288
                          • Instruction ID: efcd042719795b5c8cb2aa9c6593b042ac87884af54496c0228bb4b621af191e
                          • Opcode Fuzzy Hash: 8c9728fef255addef2df9581d6bfa3565fcbda350e8c0cc3f5032e9636e64288
                          • Instruction Fuzzy Hash: C0212571504340DFDB05CF14D9D4B2ABBA9FB88328F248969E80A4B64AC336D946DBF1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 029AD5C4, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.930668274.00000000029AD000.00000040.00000001.sdmp, Offset: 029AD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8c44f108772378b1104d8f5159d17aa0a9794e9cc8f62f80dbaa02266abe7a29
                          • Instruction ID: 6feded4be39213f8e7a15bb4ba6f8ad5c4aa54c999d21c1100f0b1f58cbd26ee
                          • Opcode Fuzzy Hash: 8c44f108772378b1104d8f5159d17aa0a9794e9cc8f62f80dbaa02266abe7a29
                          • Instruction Fuzzy Hash: B72103B1504340DFDB05CF18D9D4B2ABB65FB88318F248969E8090B646C336D846DBF1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0678520B, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c0b028af4e11cac3e70766465ca78f702cf396c8a5336c1d00294936ceaac686
                          • Instruction ID: 6e4d73f49df240f681da0926b9d9d080c14cd11a1dbc3e8ccf7612cb64f6ec99
                          • Opcode Fuzzy Hash: c0b028af4e11cac3e70766465ca78f702cf396c8a5336c1d00294936ceaac686
                          • Instruction Fuzzy Hash: 6E11E476F842258FFBD1F7A1A84427E7762AB85214F0941A7D905D7649EF2C8C41C3D2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067880B0, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a6254e6a91903eb8c77bb51b183c081c3f87257e394574a5324c5131ffbcae82
                          • Instruction ID: b50a7e239be40ca1b0d4c274f3db72b63fb3b625c99a60bd07438ba23563ac62
                          • Opcode Fuzzy Hash: a6254e6a91903eb8c77bb51b183c081c3f87257e394574a5324c5131ffbcae82
                          • Instruction Fuzzy Hash: C3218334F851218FC794B7B4941C27F7AE2AB89311B548A69D91AD7381EE348C02CBD3
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06784ED0, Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 989207f2606c54c3ed5b9bb957b654051fe5b36c831c94ac75da1bf38793cafb
                          • Instruction ID: 95ae240986e8bdc2848e64b31a0a09292cb8e5f9fef4d40e3ecce6b84efa6d1e
                          • Opcode Fuzzy Hash: 989207f2606c54c3ed5b9bb957b654051fe5b36c831c94ac75da1bf38793cafb
                          • Instruction Fuzzy Hash: 0B210634B442015FD764EB18C894E3AB7E2EF95704B18C46AF146CB399CB74EC01CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067873F6, Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3d35bb51ff91d7165e30d2b5cfd7abef0cd3338bc5ced6951f64e70d01799653
                          • Instruction ID: e37e0ce148d022a9ed6a1789c86c6892c8b392de7177f23a865f5a468ef7c4c1
                          • Opcode Fuzzy Hash: 3d35bb51ff91d7165e30d2b5cfd7abef0cd3338bc5ced6951f64e70d01799653
                          • Instruction Fuzzy Hash: 59217735E80229DFDBA8BFA4E4456AD7B31BB44721F348425D91BE7254DB309C41CBE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06789171, Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 471fefca5abb2bdf0a3af08de8d2618b390605fd0abdde0efb9b0e4cca9d7514
                          • Instruction ID: 34a9fd472de0da4802ddea531035c205d749ff7fba098cfd988a4d3e02974159
                          • Opcode Fuzzy Hash: 471fefca5abb2bdf0a3af08de8d2618b390605fd0abdde0efb9b0e4cca9d7514
                          • Instruction Fuzzy Hash: CE21D332DC8115DFEBA1BB6C885877EB776AB45310F188061DF1677290DA349D01CBE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 029BD0EC, Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.930697498.00000000029BD000.00000040.00000001.sdmp, Offset: 029BD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: db1ea76e495981cb5bf140ffa45bdf5d86e597cbe075b3513270ebdb3116ef78
                          • Instruction ID: 05725dd4dcb9017db129b177f28d84feacbff78cd2ee687ffba02b0b72ee021a
                          • Opcode Fuzzy Hash: db1ea76e495981cb5bf140ffa45bdf5d86e597cbe075b3513270ebdb3116ef78
                          • Instruction Fuzzy Hash: F721D7B5504244EFDB0ADF14DAC4B66BB65FF88314F24C969E8094B346C73AD846CAB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06785240, Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c75463e55e6b5516efa490fd6de244323c7d32b760f9705e0496827f1644272
                          • Instruction ID: 77456cf7501a8097f2a9e718dfb2e2e4b43da3f2150282e9115d1daed3e17a0e
                          • Opcode Fuzzy Hash: 6c75463e55e6b5516efa490fd6de244323c7d32b760f9705e0496827f1644272
                          • Instruction Fuzzy Hash: 57110476F842298FFFC0F6A198442BF73A6EB84354F444035DE06A7288EF689C01C2D2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067801D8, Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 911edb0bd3b6aba7074d8a0528a716fa0cd4a2eec61d7fef6e02176a000d1dfd
                          • Instruction ID: db75332a7bcfc5a7e957f58d3b1e26ee8858063fc4a7f39e3d4392623e71e59b
                          • Opcode Fuzzy Hash: 911edb0bd3b6aba7074d8a0528a716fa0cd4a2eec61d7fef6e02176a000d1dfd
                          • Instruction Fuzzy Hash: C4214A71A00215CFCB95EFA9C494AAEBBB2FF8A214F50446ED01997761D736EC85CB40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06781420, Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9a171a4535c17ef5585c4d7325c2a3c1b36511d565aef97950cceb94334a8c3f
                          • Instruction ID: a3e18045798897b10d7f09031e9290cbe677555ff261e27c68a1e2b9d329c9c3
                          • Opcode Fuzzy Hash: 9a171a4535c17ef5585c4d7325c2a3c1b36511d565aef97950cceb94334a8c3f
                          • Instruction Fuzzy Hash: 2111B1727002159B8F98B6B8981466FB2DBEBC4154710893D911ACB780DF71AC05CBE5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0678BF10, Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d0a99b5c12df699ddd53246648325df6e6546e2ca7c5dac7e2d177259d4feffd
                          • Instruction ID: 07f098fe94c7ef062eee25b18209840690c6d3a4afaad4759d9d18da7f51ca5f
                          • Opcode Fuzzy Hash: d0a99b5c12df699ddd53246648325df6e6546e2ca7c5dac7e2d177259d4feffd
                          • Instruction Fuzzy Hash: C5D0C928C8E3843EC7A622355C5247A3F19C6279C0F4540D3A1A89919384115C0AC9B6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067880C0, Relevance: .1, Instructions: 64COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bff7b5e887904d309311da696a864fe8eccf7de1ef13af5dba3d8f8a08ea6ffe
                          • Instruction ID: 4756a941a97f6d11915c94db23d09b79aabae942ea0fa9f329161e24a6a0824b
                          • Opcode Fuzzy Hash: bff7b5e887904d309311da696a864fe8eccf7de1ef13af5dba3d8f8a08ea6ffe
                          • Instruction Fuzzy Hash: EB114F34F442258FDB84B7B8941C27F76E2EB89311B548939DA1AD3381EE348D528BD2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06781288, Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 750aef28b4eb109c46438848642ced2acf6b69ca8d50684a6377373891a03513
                          • Instruction ID: 8514699fa3971e2f532fb78ece73b75de77a23225c1faa50da5be43139d9fd54
                          • Opcode Fuzzy Hash: 750aef28b4eb109c46438848642ced2acf6b69ca8d50684a6377373891a03513
                          • Instruction Fuzzy Hash: F9110171F006199F8B54EFA8C8445EEBBFABF84201B04C16AE405DB304EB34DE42CB80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06781278, Relevance: .1, Instructions: 60COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bdb94497f75e750672aef324dc7e60ea122bc202285336d778215ba04d073e6b
                          • Instruction ID: 23c7b493e5051e198231a876c2c42a92df6cae411d4803da2fce521224b58be2
                          • Opcode Fuzzy Hash: bdb94497f75e750672aef324dc7e60ea122bc202285336d778215ba04d073e6b
                          • Instruction Fuzzy Hash: AA11C475E002099FCB95DFA8D8045EE7FF5BF86201B48C1A7E404DB615DB348E45CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06788A48, Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: df312357ca265d9ff51c4a31fda51cbf9b82084aef994af7b5b6bd25757411e9
                          • Instruction ID: 007494a7c186cd4fbadbe49034f0b00bc8b549e2982197fda1cda046eb4b0385
                          • Opcode Fuzzy Hash: df312357ca265d9ff51c4a31fda51cbf9b82084aef994af7b5b6bd25757411e9
                          • Instruction Fuzzy Hash: 22118F70E841489FD780EFA5D89456DBBB2EF85200F50C8A6D505DB6D0EB32DD41CB43
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06781338, Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3d5e6c9f9f477ca6f64b1e03080ecd3a57802f675068934f727679c236e9007f
                          • Instruction ID: 0279009ff6003df3df6227d4cfd0e9aea95d624ac46109e125dcc1f17f199179
                          • Opcode Fuzzy Hash: 3d5e6c9f9f477ca6f64b1e03080ecd3a57802f675068934f727679c236e9007f
                          • Instruction Fuzzy Hash: E911A0B9700205AFDB41DF65EC50AAA7BAAEB99354F008025E909D7B51C735DC06C7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06784305, Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f66270745ba7c48ac3408542fab6a11e1d40d77e5ee43700dd02278cd77907c5
                          • Instruction ID: c898c434d2e3f01d7ea4aef6e970fd07e5b57385cc53df0d2bddb86268dd2bf4
                          • Opcode Fuzzy Hash: f66270745ba7c48ac3408542fab6a11e1d40d77e5ee43700dd02278cd77907c5
                          • Instruction Fuzzy Hash: AE11C2397401154FDB84BB78E424A6E32D3EBC9218B00856AD906DB7A8DF31DD1ACBC7
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 029AD4D3, Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.930668274.00000000029AD000.00000040.00000001.sdmp, Offset: 029AD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 980e7335bdb557072bec51bd32a0700c116c8a2f2b0941a8b8f6f4cb45067764
                          • Instruction ID: 62a2c045bcdbcca10829b6482fb78773395ad7f00b840f78aed11d0d27d84457
                          • Opcode Fuzzy Hash: 980e7335bdb557072bec51bd32a0700c116c8a2f2b0941a8b8f6f4cb45067764
                          • Instruction Fuzzy Hash: D511D376404380CFCB11CF10D5D4B16BF71FB84324F2486A9D8050B65AC33AD55ACBE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 029AD5BF, Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.930668274.00000000029AD000.00000040.00000001.sdmp, Offset: 029AD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 980e7335bdb557072bec51bd32a0700c116c8a2f2b0941a8b8f6f4cb45067764
                          • Instruction ID: 3f7cd956c251f7de94bdf07b07ae001ddd2d29a24fc9af842c3ae2d4bd55e53e
                          • Opcode Fuzzy Hash: 980e7335bdb557072bec51bd32a0700c116c8a2f2b0941a8b8f6f4cb45067764
                          • Instruction Fuzzy Hash: F311D076404380CFCB16CF14D9D4B5ABF72FB84324F24C6A9D8490B656C33AD55ACBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 029BD0E7, Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.930697498.00000000029BD000.00000040.00000001.sdmp, Offset: 029BD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 026a2d0cd332a4b71f8d59c4dbd104c6731e0972d64e0eb1f9b37cdadf4ebc0a
                          • Instruction ID: 0e5ba180a7475c703861b42ee29b0f9679bfadf0c5385bed6ece674ad1ec9f3a
                          • Opcode Fuzzy Hash: 026a2d0cd332a4b71f8d59c4dbd104c6731e0972d64e0eb1f9b37cdadf4ebc0a
                          • Instruction Fuzzy Hash: 04119D75504280DFDB06CF10DAC4B55BFA2FF88314F28C6AAD8494B756C33AD44ACBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06780C68, Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ff0a8450a10bc14fd800e608d839f72fc0bea8b8b36d2f54c1d1570c9882eca2
                          • Instruction ID: 8ba6a5f2a4b710d78688496afe40e042df7136b00897b716fb701cae38ed5ff6
                          • Opcode Fuzzy Hash: ff0a8450a10bc14fd800e608d839f72fc0bea8b8b36d2f54c1d1570c9882eca2
                          • Instruction Fuzzy Hash: 5C11E134A052449FD705EFB4C4A0A6DBB72EF82204B5586DEC4068F382CB30ED49CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 029AD01D, Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.930668274.00000000029AD000.00000040.00000001.sdmp, Offset: 029AD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 406b89aebe8e8d0ca251aef3275c4658561f7857e1841990655facf54e7aec90
                          • Instruction ID: eb41c6ee1822d4d5d4c55dbdba7195aacdf9b261e979a8f8eb7f35b65fa5a57b
                          • Opcode Fuzzy Hash: 406b89aebe8e8d0ca251aef3275c4658561f7857e1841990655facf54e7aec90
                          • Instruction Fuzzy Hash: CB012671408790AEE7208A25DC85BB7BBCCEF41628F08C81AED445B682C3B99945C6F1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06785338, Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 44e32d9ef03f0d1ea6c1a26764f54e001868fe67b4ee340041304df9ffb0634b
                          • Instruction ID: 8330068cd0db1d8978924d37d373a10add0f7d6b287caf5b2d5a67e60c135755
                          • Opcode Fuzzy Hash: 44e32d9ef03f0d1ea6c1a26764f54e001868fe67b4ee340041304df9ffb0634b
                          • Instruction Fuzzy Hash: E91100B5C006498FDB60DFA9D888BEEBBF4BB48318F108859D429B7600C375A944CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 029AD006, Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.930668274.00000000029AD000.00000040.00000001.sdmp, Offset: 029AD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b6142a0102f8ee2047964164a7e23d4c807682e5085271d9548a95427485ac8f
                          • Instruction ID: a6ad7e3678561e03107067f2283a0017feaffe59b40901d1cd8f2f48b70a0618
                          • Opcode Fuzzy Hash: b6142a0102f8ee2047964164a7e23d4c807682e5085271d9548a95427485ac8f
                          • Instruction Fuzzy Hash: A001B57140D3C09FD7128B208CA4766BFA8EF43224F0880DBD8845F2D3C3698848C7B1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06788C31, Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1ae1eded4acc7d68cb8a9b3684098b91518669d3cb5c9ac985af7a48f88ef083
                          • Instruction ID: 9daf313877aebd81af2ffae8b50774b86820f536177d5a0e4d7117c1087cd44a
                          • Opcode Fuzzy Hash: 1ae1eded4acc7d68cb8a9b3684098b91518669d3cb5c9ac985af7a48f88ef083
                          • Instruction Fuzzy Hash: 75011975B008218F9B497B74A02C17D3AE3ABD8611756C029EA03D778CEF388C028F96
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06785340, Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8f129a56c68d4d7b264545969f484e481d9452c43366c857ab4fb06f7aa278a6
                          • Instruction ID: 32d7242027897a6ee7fe6ab611f31531f8dcb982a57ab935ec5137b34a8dd5f9
                          • Opcode Fuzzy Hash: 8f129a56c68d4d7b264545969f484e481d9452c43366c857ab4fb06f7aa278a6
                          • Instruction Fuzzy Hash: A311EEB5D006498FDB60DF99C888BEEBBF4EB48328F108819D429A7640C375A944CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06786CD3, Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0712527ae2b5de1485e51e90c57363193c621b96d2dd2828ec363eccae7aafd1
                          • Instruction ID: 606c677b856e461886226adfdeed6f65c0b8a386fe898fdaf4793a3227924126
                          • Opcode Fuzzy Hash: 0712527ae2b5de1485e51e90c57363193c621b96d2dd2828ec363eccae7aafd1
                          • Instruction Fuzzy Hash: 36F0203418D2846FCB42D768D851861BF71EF8220432882EBE448CB293C22AEC12D721
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06780C57, Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d0619a6fd1768e4c89d8d115a64c571212ba293044134970c09fcb45747fbb24
                          • Instruction ID: d7fa856e77a08cace17feed34d8856bcd85e9adfc77d6a6af668fc6451a2893e
                          • Opcode Fuzzy Hash: d0619a6fd1768e4c89d8d115a64c571212ba293044134970c09fcb45747fbb24
                          • Instruction Fuzzy Hash: 15F0B474A4A2808FC719DF24D5959A2BF61EF01214B1683CEC84A8F253C621DC9ECB55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06781A70, Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5891426556df4be58fbed21cffa20a2c20ea07981e71f5e07b7b967a6b2ffd42
                          • Instruction ID: 0cff1ef260afc434e631af6ead48a27a696b1f1d17eb9d3b29d1ae8dd8d295fd
                          • Opcode Fuzzy Hash: 5891426556df4be58fbed21cffa20a2c20ea07981e71f5e07b7b967a6b2ffd42
                          • Instruction Fuzzy Hash: 6AF0B4315192808FC311DB68E5507A6BBB2DF46608F4585DAD089CFA62CB66AC49C7A2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06781238, Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fb1a16869bab5fb454abec64b507712a6fe18fd80426e1b89460980faedf0b75
                          • Instruction ID: a8959112d265787bf8b7da2d34199cf866d25484d5d3959aa5a7557eec2b5477
                          • Opcode Fuzzy Hash: fb1a16869bab5fb454abec64b507712a6fe18fd80426e1b89460980faedf0b75
                          • Instruction Fuzzy Hash: 1DE02631B091608FCB65236938084BF3F6B9ACB651B098067F107C7240CE688C03D3E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06787FA1, Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c7e2417c9f658f3a88b8ac0f7c54810496417d403fcc6c94923ce8a633c01dfe
                          • Instruction ID: 38303989b4904bf812a17456a9a5ddb8c41b93e103d8dc7bc5d66fa49e1bf49f
                          • Opcode Fuzzy Hash: c7e2417c9f658f3a88b8ac0f7c54810496417d403fcc6c94923ce8a633c01dfe
                          • Instruction Fuzzy Hash: C9E0923290420CAFDB068F94CC018BA7F26EB95290714805BFD4586321C6729C62DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06787CF0, Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e8d77e9782c57b6b2c4a4b9c6ef3874d8efa13d3b1f709b3379d16aedbff581a
                          • Instruction ID: d91a1c37dcf575c3d15973ec3d0a79810ce0a02b6098f7010817898c24051001
                          • Opcode Fuzzy Hash: e8d77e9782c57b6b2c4a4b9c6ef3874d8efa13d3b1f709b3379d16aedbff581a
                          • Instruction Fuzzy Hash: 6CE0CD399041485FC7599744D81187DBB2DDB97550324C197ED5787313C9719C03C3A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06781A80, Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f982d9003e7fbfbc4b94a6b9685cda86da25724a67f95df7a0e28d49b64a4716
                          • Instruction ID: e3b63e2dee71cfca73d95b3926fab75038fc92f6d28dac693f113940d3cf724c
                          • Opcode Fuzzy Hash: f982d9003e7fbfbc4b94a6b9685cda86da25724a67f95df7a0e28d49b64a4716
                          • Instruction Fuzzy Hash: 20E092312102108FC320DB18E440B96B7EAEF45708F4085ADD10A8BA51DFB2FC49C7E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06786A2A, Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1dc1f0cc3b4586c22c2e5d7d94d8b723f8ef90e570e51ac981bdc753bc111609
                          • Instruction ID: da768584d99b49f2664c9d29403090228734b22c21477c8bb10689a2b017e287
                          • Opcode Fuzzy Hash: 1dc1f0cc3b4586c22c2e5d7d94d8b723f8ef90e570e51ac981bdc753bc111609
                          • Instruction Fuzzy Hash: 7CF06D385401059FC750EB88C1949AAB7B3FB45310B21C614D91AAB3A2C731FC43CB65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06782220, Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 665612182d9948142f860b73da45af542fb5726e33cf4ba15dbdd59b1f61cc23
                          • Instruction ID: 2016fc38f0ca0bf64e3307a68fc177a737cddd936cb00944af584788915910c6
                          • Opcode Fuzzy Hash: 665612182d9948142f860b73da45af542fb5726e33cf4ba15dbdd59b1f61cc23
                          • Instruction Fuzzy Hash: 90E0CD366406244B52145914A40859E73DA9B881313414255ED79C3381DF289D0687E5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06785C20, Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0bd0900d39e91afe19084eccfcb9b6417a3aa324e505209b556ccac7c26e605b
                          • Instruction ID: 5554d562d96c5582dfdffa070d635f14417caacb479db796de0653e45dc4501f
                          • Opcode Fuzzy Hash: 0bd0900d39e91afe19084eccfcb9b6417a3aa324e505209b556ccac7c26e605b
                          • Instruction Fuzzy Hash: 83D02E3080AB085FD39A83A08C00865BFA88A46240B0085ABA148C7223CF22AC02CBE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06787FB0, Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0fe6e3aea478687c158d19a34a902664cc9df0a88a38a6ac68c528960ef1b384
                          • Instruction ID: 29f6224dccce5c91cfde4dbcf6ef2d8eab8ae5265d8597ad401a6bfe491303de
                          • Opcode Fuzzy Hash: 0fe6e3aea478687c158d19a34a902664cc9df0a88a38a6ac68c528960ef1b384
                          • Instruction Fuzzy Hash: 44D06236100119BF9B05DE84DC41CA67B6AEB89660714C05AFD1547211C673DD22DBD0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06786400, Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6ec028193aaf5d11d080a6cce44edc95ccdf89edc1c729def7b99c969fb89afe
                          • Instruction ID: 269fb8c9a430be3e63efb01417d52430ae87561bc096e208533eb05ab7a0bd62
                          • Opcode Fuzzy Hash: 6ec028193aaf5d11d080a6cce44edc95ccdf89edc1c729def7b99c969fb89afe
                          • Instruction Fuzzy Hash: 23D0A7B6C482902EC347D394A9A14787F6189D310831DC4EBE44DCF763D6278E57D341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067872E9, Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 926e2c57027000c605c98698a4e49a2c894234209742b9e06f51048a3f60705f
                          • Instruction ID: 449d6518bc639ef74576d15b6ab2f15db4e16c738b20959a7c67347ec94c663d
                          • Opcode Fuzzy Hash: 926e2c57027000c605c98698a4e49a2c894234209742b9e06f51048a3f60705f
                          • Instruction Fuzzy Hash: 3AD09E36610158BB9714DE88D841DA6BB6AEB89660714C05AFD1887315C672DD13D7D0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06788280, Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f6dd3b8a7f8def7b451fb09b863df7ab1539d2d45bfa464a45e2290d26fe33f1
                          • Instruction ID: 5b04b70b91217e9cc32881f1c41f44fd6b6549ad468f02247e5dbf887d3e8a75
                          • Opcode Fuzzy Hash: f6dd3b8a7f8def7b451fb09b863df7ab1539d2d45bfa464a45e2290d26fe33f1
                          • Instruction Fuzzy Hash: CBD0C931C89E844EC6A2A2B0A8524B87F21C6A728439886C3989DDAA52E50A0C16CA13
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067814FB, Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 42b93db183f98731c422518575cf5b9d8122211122534374246f5cd37a364f49
                          • Instruction ID: 95caf21472a2bacef8403c7bfeb98fe96005b84aa310747828e712c36f970b5e
                          • Opcode Fuzzy Hash: 42b93db183f98731c422518575cf5b9d8122211122534374246f5cd37a364f49
                          • Instruction Fuzzy Hash: DCD067A4C467816FDB8D9F2648404727FF5ADD520537585DE90548A122E235CA07CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06785D20, Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4c31cb80f4bc62c197bb385bf3d701b6e4fb095b972c1e68d1bcff294e8c818
                          • Instruction ID: e4585038764c705c2dd3cae24eac11d8f4c91360db4a279c3c9b6d022a3c4a75
                          • Opcode Fuzzy Hash: a4c31cb80f4bc62c197bb385bf3d701b6e4fb095b972c1e68d1bcff294e8c818
                          • Instruction Fuzzy Hash: 4FD0A7313086485FD340DF5CD851895F7A5DF95654B24C06AF84CC7313E632FD12C694
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067855F0, Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 194125476680dc283c7b26c4afbd4ff3e2589ac91f63a982b6a64f0577a7ecd0
                          • Instruction ID: 7d1f7417e13fee643028905f0d29702140e27091e808826f0b1bb406416187ca
                          • Opcode Fuzzy Hash: 194125476680dc283c7b26c4afbd4ff3e2589ac91f63a982b6a64f0577a7ecd0
                          • Instruction Fuzzy Hash: D1D01259C8D7D40ED75213A46A3B1253F614C125DA7484CC3AC45D9942C590D845C326
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067872F0, Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 01121f2c778aaa955698064ff843d2996bee34fc2f5530b77e7ea5e79a423cb0
                          • Instruction ID: 1b0a6f6d896694a697788613f5e5355b62e48349d74697ae87246d03dd23ea49
                          • Opcode Fuzzy Hash: 01121f2c778aaa955698064ff843d2996bee34fc2f5530b77e7ea5e79a423cb0
                          • Instruction Fuzzy Hash: 05D0C936200118BF9B04DE88DC41CAABB6EEB89660714C05FFD1887311CAB3ED22DBD0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 067876F0, Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: af58afab22034b7f1229c0ef458342892913f793421881c4461eb4b260a0071c
                          • Instruction ID: 6d68b05217d42df5e88776538ac7dda21d442ee5568cf4866697fd22aaba22dc
                          • Opcode Fuzzy Hash: af58afab22034b7f1229c0ef458342892913f793421881c4461eb4b260a0071c
                          • Instruction Fuzzy Hash: 3CC08C21D8ABA01FC22727282C4E4FA3F28A9472023010B83F70685813F4918C13C6A2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06787D00, Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
                          • Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
                          • Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
                          • Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06788241, Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5cfe996e962406f7a4d63fef098d6a9ea1f197d7f4503d3f260072587e2be179
                          • Instruction ID: 0d5cec1026cf92cf5c34a240844c94d2ea913dde3241d17c84b1b894b4870bdf
                          • Opcode Fuzzy Hash: 5cfe996e962406f7a4d63fef098d6a9ea1f197d7f4503d3f260072587e2be179
                          • Instruction Fuzzy Hash: 3CC01270C997C05DC7E2637059614E83F314A97194B5945E6C4598D953D01E0C07C615
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0678BA13, Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 973e37369a604dbe8a80292d4f011c47634442677426dcee8c4f4eb67a88caa9
                          • Instruction ID: 8bca619180a3765f9ccc36a8a44e16996b6a32cdaae5d76964a9886db0329c29
                          • Opcode Fuzzy Hash: 973e37369a604dbe8a80292d4f011c47634442677426dcee8c4f4eb67a88caa9
                          • Instruction Fuzzy Hash: B8D0C736009348BFC702DF90DC50D957F7AEF1621070580D2F5544A176C6359628D7B1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06780724, Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0b1090cc414d078f5f286547ffa9909c9644ab0fd524180d9f4d420b673a805
                          • Instruction ID: b4db6ec7d902015c95c864d4b27fde8319fa0482382abf287fa76713580642dd
                          • Opcode Fuzzy Hash: a0b1090cc414d078f5f286547ffa9909c9644ab0fd524180d9f4d420b673a805
                          • Instruction Fuzzy Hash: A0D0C9F48417009EAFCCEF1A88444327AE1FEC46083B0C8AE50198A212E635CA03DAD1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06787310, Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f68b40b13068dfc36190c0627fef8da9e733665328671f0c2c4929cd6ef91f50
                          • Instruction ID: 12466b3ef601f12f3f4d79143c11f9f7610510d045d95c4245bded8b73be39bb
                          • Opcode Fuzzy Hash: f68b40b13068dfc36190c0627fef8da9e733665328671f0c2c4929cd6ef91f50
                          • Instruction Fuzzy Hash: C0C01231C8A3C41FCBAA3770281006C7B241803285B1624E79DA49E622E4228CABC3A3
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06788221, Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 26ac624e7b3f760db9e6e4bdb72b40d6f9f306466a81840748af13bd3de42333
                          • Instruction ID: 5764b510857121e4d6fd60adcf012b240579124c60d9bd3af5164d09ad2c1cc0
                          • Opcode Fuzzy Hash: 26ac624e7b3f760db9e6e4bdb72b40d6f9f306466a81840748af13bd3de42333
                          • Instruction Fuzzy Hash: 72C08C21CCDBC21CDAD6B3B014140282F21482219134405C790A88D953E41A0C40C302
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06786AAD, Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d53168f009246aae8411ff391ebef56f2e632a42b3e7e65afb776481204c5836
                          • Instruction ID: 4039ecad448e457b36b4ef4a745f390654b253bff399cf05df847a4b6f711d5d
                          • Opcode Fuzzy Hash: d53168f009246aae8411ff391ebef56f2e632a42b3e7e65afb776481204c5836
                          • Instruction Fuzzy Hash: 44D0801189E2705FDB51EB54D8AC3D6FF54EB01215F1BC1D69046850C3E51D5C4BD5B2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06785D30, Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                          • Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
                          • Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                          • Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06788A58, Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                          • Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
                          • Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                          • Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0678B9FB, Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 95c8ea1ac763b4a84c7eff029519290de0972631d838076e4f81b950e71bb8bf
                          • Instruction ID: d000d04d598815d566e6c19a1815c64832f3f0c2e63438b3693ef4e05f14c316
                          • Opcode Fuzzy Hash: 95c8ea1ac763b4a84c7eff029519290de0972631d838076e4f81b950e71bb8bf
                          • Instruction Fuzzy Hash: C8B012300CB718B9D16032B0AD02E76324C8B41988FC00064B75C08551C866A89184F5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06786D00, Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: acfa8c006e3f98e3a877550e52bba05884fa8d6ff758faf7d0f7a677c27c467a
                          • Instruction ID: 6ed07d168ff4b37c51feab01e07af222a0125fa67172792bd86dfd33c8017e87
                          • Opcode Fuzzy Hash: acfa8c006e3f98e3a877550e52bba05884fa8d6ff758faf7d0f7a677c27c467a
                          • Instruction Fuzzy Hash: D0C09B574CF5C40EC78347A47E254A07F30584303A35D10D7F09DC6573C0574198D66A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06785C30, Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                          • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                          • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                          • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06786410, Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                          • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                          • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                          • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06788CE8, Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 83a0a624680021a171239de39a716a03624f09abd8102a760a6806dafa466eeb
                          • Instruction ID: 83937e83e9d2b3161333291af7939ee3a4953ba20e95e332254e4a5091cb5509
                          • Opcode Fuzzy Hash: 83a0a624680021a171239de39a716a03624f09abd8102a760a6806dafa466eeb
                          • Instruction Fuzzy Hash: 2CC04C25B0C5D08FD74497A4895562A76635784221B16857989179738DC924DC458A82
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0678BA00, Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: abafbd250fdc8027186381303cef31fa17e9cf3dffb1e8603b6c12be573ce83f
                          • Instruction ID: a89de6777751d4675f9965098e0dda6883fffb893becf8d49ff565d10cf85430
                          • Opcode Fuzzy Hash: abafbd250fdc8027186381303cef31fa17e9cf3dffb1e8603b6c12be573ce83f
                          • Instruction Fuzzy Hash: 6BA02230082B0C8A828033F0AA00828338C088080CBC000B8830C08A22C833E8A0C088
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06787320, Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aead19a59ebd7f24bf13e5c2d85a9a6e5a8a32e1c3b63d0df635047df997d3c5
                          • Instruction ID: f45851fd7db1a5682407d00881c6adac29944fe6e95742440b1b6e5dc0d70d60
                          • Opcode Fuzzy Hash: aead19a59ebd7f24bf13e5c2d85a9a6e5a8a32e1c3b63d0df635047df997d3c5
                          • Instruction Fuzzy Hash: C2A022300CBB0C8A8A8032B0280002033CC08000083C000BC830C0CA20A833F8A0C08A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06789180, Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 17b4a735112c7ed167775985adad8828aa11b42d060d6a6a33de56f0e50a0cac
                          • Instruction ID: c0f46026130bd783ebd7645eebcff72b671d24b808da068751080ec4ac5c3127
                          • Opcode Fuzzy Hash: 17b4a735112c7ed167775985adad8828aa11b42d060d6a6a33de56f0e50a0cac
                          • Instruction Fuzzy Hash: ABA0243100370CCFC31017747005010775CD500317340407DF10C005114F33F011C571
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06785600, Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f7276d5aeb6daf1655ec62c3ce82a4c6c74073ad418292f987f796ef4358c738
                          • Instruction ID: aeac3470fe297d191d7dc9576eaf80ae1833ca57267c74256d7488b2086b3710
                          • Opcode Fuzzy Hash: f7276d5aeb6daf1655ec62c3ce82a4c6c74073ad418292f987f796ef4358c738
                          • Instruction Fuzzy Hash: C790023148471C8F464027957419556775CA544AAABC448D1B50D519055E95E42145A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0678BF20, Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cb15d865db046cdfab1cf2241950ba4250cf0eb0f2a391010791f7b0902d82db
                          • Instruction ID: d7dd373a5376309aa895f3f621a2786986da52c50ca7468296ab05b2dd718239
                          • Opcode Fuzzy Hash: cb15d865db046cdfab1cf2241950ba4250cf0eb0f2a391010791f7b0902d82db
                          • Instruction Fuzzy Hash:
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06787700, Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b7f21bd76af789255b5ac4287a478b7a297a7e1bb49b3ed982113a9a2936a3c1
                          • Instruction ID: 1a8f0596bd08e1b3feef1f4a9be3bd6e6600a0d90e8fb7a5c0f83b78cf0a2683
                          • Opcode Fuzzy Hash: b7f21bd76af789255b5ac4287a478b7a297a7e1bb49b3ed982113a9a2936a3c1
                          • Instruction Fuzzy Hash: 8390023158471C8B454127A57609697775C95446157800552B70D419025E5AA4214595
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06786D10, Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 36e7846be3932f71bce8affe14eabc00fa97a5c18ba4c21189a714a469f76b19
                          • Instruction ID: 8753f336a9bfc4c4a73f2ea54c2a9e65375ec2eb54910f7eaf6f6a4f352738b8
                          • Opcode Fuzzy Hash: 36e7846be3932f71bce8affe14eabc00fa97a5c18ba4c21189a714a469f76b19
                          • Instruction Fuzzy Hash: 12900275145A0C8B458077957409555B75D95445157808051A61D8151A9A7664104995
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06785220, Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.934590632.0000000006780000.00000040.00000001.sdmp, Offset: 06780000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 884749fa78c0d6d7237a5be480558b8d8ace1e67053a26c4215ded40183019ce
                          • Instruction ID: 819f7814d5f2e62ab629ba489d987ed22600d0611ab5f759463627f96934672c
                          • Opcode Fuzzy Hash: 884749fa78c0d6d7237a5be480558b8d8ace1e67053a26c4215ded40183019ce
                          • Instruction Fuzzy Hash: BB900231884B1D8B45442B967509556775CD64462A7800895A50D519055E59A42185A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions