Edit tour

Windows Analysis Report
#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Overview

General Information

Sample Name:	#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Analysis ID:	611838
MD5:	003e0908a07fb58b60b8c45464507c92
SHA1:	46722cf8ddaf0d494bae79b281305ed39523125f
SHA256:	0ecb3940108196cc963c2b12c6adf69df9d066b2e5e496102ae60ccd8eaba5a2
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Snake Keylogger

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Machine Learning detection for sample

May check the online IP address of the machine

Injects a PE file into a foreign processes

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe (PID: 6836 cmdline: "C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe" MD5: 003E0908A07FB58B60B8C45464507C92)

#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe (PID: 6444 cmdline: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe MD5: 003E0908A07FB58B60B8C45464507C92)

#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe (PID: 4640 cmdline: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe MD5: 003E0908A07FB58B60B8C45464507C92)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram Token": "l0gs.l@yandex.com", "Telegram ID": "333bukis"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1873e:$x1: $%SMTPDV$ 0x1737e:$x2: $#TheHashHere%& 0x186e6:$x3: %FTPDV$ 0x17360:$x4: $%TelegramDv$ 0x14dac:$x5: KeyLoggerEventArgs 0x1513c:$x5: KeyLoggerEventArgs 0x1876a:$m1: \| Snake Keylogger 0x18810:$m1: \| Snake Keylogger 0x18964:$m1: \| Snake Keylogger 0x18a8a:$m1: \| Snake Keylogger 0x18be4:$m1: \| Snake Keylogger 0x1870a:$m2: Clipboard Logs ID 0x1891a:$m2: Screenshot Logs ID 0x18a2e:$m2: keystroke Logs ID 0x18c1a:$m3: SnakePW 0x188f2:$m4: \SnakeKeylogger\
0000000C.00000000.526726543.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000000.526726543.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000000.526726543.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000000.526726543.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1873e:$x1: $%SMTPDV$ 0x1737e:$x2: $#TheHashHere%& 0x186e6:$x3: %FTPDV$ 0x17360:$x4: $%TelegramDv$ 0x14dac:$x5: KeyLoggerEventArgs 0x1513c:$x5: KeyLoggerEventArgs 0x1876a:$m1: \| Snake Keylogger 0x18810:$m1: \| Snake Keylogger 0x18964:$m1: \| Snake Keylogger 0x18a8a:$m1: \| Snake Keylogger 0x18be4:$m1: \| Snake Keylogger 0x1870a:$m2: Clipboard Logs ID 0x1891a:$m2: Screenshot Logs ID 0x18a2e:$m2: keystroke Logs ID 0x18c1a:$m3: SnakePW 0x188f2:$m4: \SnakeKeylogger\
0000000C.00000000.524451253.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000000.524451253.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000000.524451253.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000000.524451253.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1873e:$x1: $%SMTPDV$ 0x1737e:$x2: $#TheHashHere%& 0x186e6:$x3: %FTPDV$ 0x17360:$x4: $%TelegramDv$ 0x14dac:$x5: KeyLoggerEventArgs 0x1513c:$x5: KeyLoggerEventArgs 0x1876a:$m1: \| Snake Keylogger 0x18810:$m1: \| Snake Keylogger 0x18964:$m1: \| Snake Keylogger 0x18a8a:$m1: \| Snake Keylogger 0x18be4:$m1: \| Snake Keylogger 0x1870a:$m2: Clipboard Logs ID 0x1891a:$m2: Screenshot Logs ID 0x18a2e:$m2: keystroke Logs ID 0x18c1a:$m3: SnakePW 0x188f2:$m4: \SnakeKeylogger\
00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18eae:$x1: $%SMTPDV$ 0x17aee:$x2: $#TheHashHere%& 0x18e56:$x3: %FTPDV$ 0x17ad0:$x4: $%TelegramDv$ 0x1551c:$x5: KeyLoggerEventArgs 0x158ac:$x5: KeyLoggerEventArgs 0x18eda:$m1: \| Snake Keylogger 0x18f80:$m1: \| Snake Keylogger 0x190d4:$m1: \| Snake Keylogger 0x191fa:$m1: \| Snake Keylogger 0x19354:$m1: \| Snake Keylogger 0x18e7a:$m2: Clipboard Logs ID 0x1908a:$m2: Screenshot Logs ID 0x1919e:$m2: keystroke Logs ID 0x1938a:$m3: SnakePW 0x19062:$m4: \SnakeKeylogger\
0000000C.00000000.530066001.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000000.530066001.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000000.530066001.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000000.530066001.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1873e:$x1: $%SMTPDV$ 0x1737e:$x2: $#TheHashHere%& 0x186e6:$x3: %FTPDV$ 0x17360:$x4: $%TelegramDv$ 0x14dac:$x5: KeyLoggerEventArgs 0x1513c:$x5: KeyLoggerEventArgs 0x1876a:$m1: \| Snake Keylogger 0x18810:$m1: \| Snake Keylogger 0x18964:$m1: \| Snake Keylogger 0x18a8a:$m1: \| Snake Keylogger 0x18be4:$m1: \| Snake Keylogger 0x1870a:$m2: Clipboard Logs ID 0x1891a:$m2: Screenshot Logs ID 0x18a2e:$m2: keystroke Logs ID 0x18c1a:$m3: SnakePW 0x188f2:$m4: \SnakeKeylogger\
0000000C.00000002.689828569.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.689828569.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.689828569.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.689828569.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1873e:$x1: $%SMTPDV$ 0x1737e:$x2: $#TheHashHere%& 0x186e6:$x3: %FTPDV$ 0x17360:$x4: $%TelegramDv$ 0x14dac:$x5: KeyLoggerEventArgs 0x1513c:$x5: KeyLoggerEventArgs 0x1876a:$m1: \| Snake Keylogger 0x18810:$m1: \| Snake Keylogger 0x18964:$m1: \| Snake Keylogger 0x18a8a:$m1: \| Snake Keylogger 0x18be4:$m1: \| Snake Keylogger 0x1870a:$m2: Clipboard Logs ID 0x1891a:$m2: Screenshot Logs ID 0x18a2e:$m2: keystroke Logs ID 0x18c1a:$m3: SnakePW 0x188f2:$m4: \SnakeKeylogger\
00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2106e:$x1: $%SMTPDV$ 0x51e8e:$x1: $%SMTPDV$ 0x1fcae:$x2: $#TheHashHere%& 0x50ace:$x2: $#TheHashHere%& 0x21016:$x3: %FTPDV$ 0x51e36:$x3: %FTPDV$ 0x1fc90:$x4: $%TelegramDv$ 0x50ab0:$x4: $%TelegramDv$ 0x1d6dc:$x5: KeyLoggerEventArgs 0x1da6c:$x5: KeyLoggerEventArgs 0x4e4fc:$x5: KeyLoggerEventArgs 0x4e88c:$x5: KeyLoggerEventArgs 0x2109a:$m1: \| Snake Keylogger 0x21140:$m1: \| Snake Keylogger 0x21294:$m1: \| Snake Keylogger 0x213ba:$m1: \| Snake Keylogger 0x21514:$m1: \| Snake Keylogger 0x51eba:$m1: \| Snake Keylogger 0x51f60:$m1: \| Snake Keylogger 0x520b4:$m1: \| Snake Keylogger 0x521da:$m1: \| Snake Keylogger
Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 6836	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 6836	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 6836	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15dd0f:$x5: KeyLoggerEventArgs 0x15e09f:$x5: KeyLoggerEventArgs 0x15e677:$x5: KeyLoggerEventArgs 0x15e9d2:$x5: KeyLoggerEventArgs 0x1cabe0:$x5: KeyLoggerEventArgs 0x1caf70:$x5: KeyLoggerEventArgs 0x1cb548:$x5: KeyLoggerEventArgs 0x1cb8a3:$x5: KeyLoggerEventArgs 0x160217:$m1: \| Snake Keylogger 0x160266:$m1: \| Snake Keylogger 0x1602fa:$m1: \| Snake Keylogger 0x16035b:$m1: \| Snake Keylogger 0x1603d0:$m1: \| Snake Keylogger 0x1cd0e8:$m1: \| Snake Keylogger 0x1cd137:$m1: \| Snake Keylogger 0x1cd1cb:$m1: \| Snake Keylogger 0x1cd22c:$m1: \| Snake Keylogger 0x1cd2a1:$m1: \| Snake Keylogger 0x1601e6:$m2: Clipboard Logs ID 0x1602d5:$m2: Screenshot Logs ID 0x16032d:$m2: keystroke Logs ID
Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 4640	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 4640	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 4640	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x932a:$x5: KeyLoggerEventArgs 0x96ba:$x5: KeyLoggerEventArgs 0x9c92:$x5: KeyLoggerEventArgs 0x9fed:$x5: KeyLoggerEventArgs 0xb832:$m1: \| Snake Keylogger 0xb881:$m1: \| Snake Keylogger 0xb915:$m1: \| Snake Keylogger 0xb976:$m1: \| Snake Keylogger 0xb9eb:$m1: \| Snake Keylogger 0xb801:$m2: Clipboard Logs ID 0xb8f0:$m2: Screenshot Logs ID 0xb948:$m2: keystroke Logs ID 0xba06:$m3: SnakePW 0xb8dc:$m4: \SnakeKeylogger\
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1943e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18627:$a3: \Google\Chrome\User Data\Default\Login Data 0x18a6e:$a4: \Orbitum\User Data\Default\Login Data 0x19bef:$a5: \Kometa\User Data\Default\Login Data
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12b24:$s1: UnHook 0x12b2b:$s2: SetHook 0x12b33:$s3: CallNextHook 0x12b40:$s4: _hook
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16b3e:$x1: $%SMTPDV$ 0x1577e:$x2: $#TheHashHere%& 0x16ae6:$x3: %FTPDV$ 0x15760:$x4: $%TelegramDv$ 0x131ac:$x5: KeyLoggerEventArgs 0x1353c:$x5: KeyLoggerEventArgs 0x16b6a:$m1: \| Snake Keylogger 0x16c10:$m1: \| Snake Keylogger 0x16d64:$m1: \| Snake Keylogger 0x16e8a:$m1: \| Snake Keylogger 0x16fe4:$m1: \| Snake Keylogger 0x16b0a:$m2: Clipboard Logs ID 0x16d1a:$m2: Screenshot Logs ID 0x16e2e:$m2: keystroke Logs ID 0x1701a:$m3: SnakePW 0x16cf2:$m4: \SnakeKeylogger\
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1943e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18627:$a3: \Google\Chrome\User Data\Default\Login Data 0x18a6e:$a4: \Orbitum\User Data\Default\Login Data 0x19bef:$a5: \Kometa\User Data\Default\Login Data
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12b24:$s1: UnHook 0x12b2b:$s2: SetHook 0x12b33:$s3: CallNextHook 0x12b40:$s4: _hook
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16b3e:$x1: $%SMTPDV$ 0x1577e:$x2: $#TheHashHere%& 0x16ae6:$x3: %FTPDV$ 0x15760:$x4: $%TelegramDv$ 0x131ac:$x5: KeyLoggerEventArgs 0x1353c:$x5: KeyLoggerEventArgs 0x16b6a:$m1: \| Snake Keylogger 0x16c10:$m1: \| Snake Keylogger 0x16d64:$m1: \| Snake Keylogger 0x16e8a:$m1: \| Snake Keylogger 0x16fe4:$m1: \| Snake Keylogger 0x16b0a:$m2: Clipboard Logs ID 0x16d1a:$m2: Screenshot Logs ID 0x16e2e:$m2: keystroke Logs ID 0x1701a:$m3: SnakePW 0x16cf2:$m4: \SnakeKeylogger\
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
0.3.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.4019990.0.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x177ad3:$i2: sserddAcorPteG 0x177ae2:$i3: AyrarbiLdaoL
Click to see the 56 entries

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke (rule): Data: Image: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, QueryName: checkip.dyndns.org

Source: Process started

Author: frack113: Data: Command: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, CommandLine: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, NewProcessName: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, OriginalFileName: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, ParentCommandLine: "C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe" , ParentImage: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, ParentProcessId: 6836, ParentProcessName: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, ProcessCommandLine: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, ProcessId: 6444, ProcessName: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Snort Signatures

ET TROJAN Maldoc Activity (set) - Source IP: 192.168.2.5 - Destination IP: 45.137.22.163

Timestamp:	04/20/22-09:15:09.692292 04/20/22-09:15:09.692292
SID:	2034631
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Token": "l0gs.l@yandex.com", "Telegram ID": "333bukis"}

Machine Learning detection for sample

Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Joe Sandbox ML: detected

Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack	Avira: Label: TR/ATRAPS.Gen

Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: unknown

HTTPS traffic detected: 188.114.96.7:443 -> 192.168.2.5:49789 version: TLS 1.0

Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0107E43Fh	12_2_0107E183
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0107CBC0h	12_2_0107C1D7
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0107D5E8h	12_2_0107D1D0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0107E89Fh	12_2_0107E5E3
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0107ECFFh	12_2_0107EA40
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0107D021h	12_2_0107CD60
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0107DFDFh	12_2_0107DCB0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0107F15Fh	12_2_0107EEA1
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0107D5E8h	12_2_0107D516
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_0107B6F8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_0107BD2B
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_0107BF0C
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 05248DD9h	12_2_05248B30
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524D7B1h	12_2_0524D508
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524DC09h	12_2_0524D960
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524A7E9h	12_2_0524A540
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524C1F9h	12_2_0524BF50
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524C651h	12_2_0524C3A8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524E061h	12_2_0524DDB8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 05249231h	12_2_05248F88
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524AC41h	12_2_0524A998
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 05249689h	12_2_052493E0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524B099h	12_2_0524ADF0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 05249AE1h	12_2_05249838
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524CAA9h	12_2_0524C800
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524B4F1h	12_2_0524B248
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524CF01h	12_2_0524CC58
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524B949h	12_2_0524B6A0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524D359h	12_2_0524D0B0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 05249F39h	12_2_05249C90
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524A391h	12_2_0524A0E8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 0524BDA1h	12_2_0524BAF8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 05248981h	12_2_052486D8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 06375991h	12_2_063756E8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 06372979h	12_2_063726D0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 063736A9h	12_2_06373400
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 06374832h	12_2_06374588
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 06375539h	12_2_06375290
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 06376699h	12_2_063763F0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 063743B1h	12_2_06374108
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 063750E1h	12_2_06374E38
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 06373251h	12_2_06372FA8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 06376241h	12_2_06375F98
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 06373F59h	12_2_06373CB0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 06372DF9h	12_2_06372B50
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 06375DE9h	12_2_06375B40
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 06373B01h	12_2_06373858
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then jmp 06374C89h	12_2_063749E0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_06370C06
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_063708F0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_063708E0

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.5:49775 -> 45.137.22.163:80

May check the online IP address of the machine

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	DNS query: name: checkip.dyndns.org

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic	HTTP traffic detected: GET /xml/102.129.143.53 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /orderfile_Hecqxfqw.png HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 45.137.22.163 45.137.22.163

Source: unknown

HTTPS traffic detected: 188.114.96.7:443 -> 192.168.2.5:49789 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163

Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.534822230.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.163
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	String found in binary or memory: http://45.137.22.163/orderfile_Hecqxfqw.png
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	String found in binary or memory: http://45.137.22.163/orderfile_Hecqxfqw.png5Jbchb.Properties.Resources
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.695970903.0000000002C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.695970903.0000000002C42000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.695784234.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.695784234.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.695784234.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org4
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.695970903.0000000002C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgD8
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.696005553.0000000002C63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.app
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.534822230.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.695784234.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.433631961.0000000005D85000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.436660311.0000000005D8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.433631961.0000000005D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comdol
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.433631961.0000000005D85000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.436660311.0000000005D8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comes
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.433631961.0000000005D85000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.436660311.0000000005D8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comsig
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.433631961.0000000005D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comy
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.430520537.0000000005D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.427481729.0000000005D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.427481729.0000000005D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comiv
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.427481729.0000000005D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comt
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.430751872.0000000005D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.430751872.0000000005D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comv(
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.537708381.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.695970903.0000000002C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.695970903.0000000002C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.695970903.0000000002C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/102.129.143.53
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.695970903.0000000002C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/102.129.143.53x
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.695970903.0000000002C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app4
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.535161383.000000000305D000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.534894681.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.535161383.000000000305D000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.534894681.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.535161383.000000000305D000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.534894681.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: global traffic	HTTP traffic detected: GET /xml/102.129.143.53 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /orderfile_Hecqxfqw.png HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000000.526726543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000000.524451253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000000.530066001.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000002.689828569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 6836, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 4640, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.3.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.4019990.0.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000C.00000000.526726543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000C.00000000.524451253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000C.00000000.530066001.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000C.00000002.689828569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 6836, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 4640, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 0_2_0137C124	0_2_0137C124
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 0_2_0137E570	0_2_0137E570
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 0_2_0137E560	0_2_0137E560
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0107E183	12_2_0107E183
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_010751B0	12_2_010751B0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0107C1D7	12_2_0107C1D7
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_01073578	12_2_01073578
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0107E5E3	12_2_0107E5E3
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0107D660	12_2_0107D660
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_010786B0	12_2_010786B0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_01074B88	12_2_01074B88
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0107EA40	12_2_0107EA40
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0107CD60	12_2_0107CD60
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_01072C31	12_2_01072C31
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0107DCB0	12_2_0107DCB0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0107EEA1	12_2_0107EEA1
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0107D650	12_2_0107D650
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0107B6E8	12_2_0107B6E8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0107B6F8	12_2_0107B6F8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_05241130	12_2_05241130
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_05248B30	12_2_05248B30
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524D508	12_2_0524D508
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524D960	12_2_0524D960
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524A540	12_2_0524A540
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524BF50	12_2_0524BF50
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524C3A8	12_2_0524C3A8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524DDB8	12_2_0524DDB8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_05248F88	12_2_05248F88
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524A998	12_2_0524A998
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_052493E0	12_2_052493E0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524ADF0	12_2_0524ADF0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_05249838	12_2_05249838
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524C800	12_2_0524C800
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524E210	12_2_0524E210
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524B248	12_2_0524B248
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_05245650	12_2_05245650
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524CC58	12_2_0524CC58
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524B6A0	12_2_0524B6A0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524D0B0	12_2_0524D0B0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_05249C90	12_2_05249C90
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524A0E8	12_2_0524A0E8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524BAF8	12_2_0524BAF8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_052486D8	12_2_052486D8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_05248B21	12_2_05248B21
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524112B	12_2_0524112B
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524A530	12_2_0524A530
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_05248F78	12_2_05248F78
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524BF42	12_2_0524BF42
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524DDA9	12_2_0524DDA9
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524A98A	12_2_0524A98A
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524C398	12_2_0524C398
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524ADE0	12_2_0524ADE0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524C7F0	12_2_0524C7F0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_052493D2	12_2_052493D2
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_05249828	12_2_05249828
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524B238	12_2_0524B238
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524CC48	12_2_0524CC48
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524D0A0	12_2_0524D0A0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_05244CA8	12_2_05244CA8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_05249C80	12_2_05249C80
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524B691	12_2_0524B691
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_05244C9B	12_2_05244C9B
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524BAE8	12_2_0524BAE8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524D4FA	12_2_0524D4FA
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_052486C7	12_2_052486C7
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0524A0D8	12_2_0524A0D8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063756E8	12_2_063756E8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063726D0	12_2_063726D0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063797C8	12_2_063797C8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06373400	12_2_06373400
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0637A468	12_2_0637A468
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063784E0	12_2_063784E0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06374588	12_2_06374588
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06375290	12_2_06375290
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063763F0	12_2_063763F0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06370040	12_2_06370040
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06374108	12_2_06374108
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06379178	12_2_06379178
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063771F8	12_2_063771F8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06374E38	12_2_06374E38
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06379E18	12_2_06379E18
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06377E98	12_2_06377E98
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06372FA8	12_2_06372FA8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06375F98	12_2_06375F98
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06370C68	12_2_06370C68
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06373CB0	12_2_06373CB0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0637AAB0	12_2_0637AAB0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06378B28	12_2_06378B28
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06372B50	12_2_06372B50
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06375B40	12_2_06375B40
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06373858	12_2_06373858
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06377848	12_2_06377848
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06371968	12_2_06371968
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063749E0	12_2_063749E0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063756DA	12_2_063756DA
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063726CE	12_2_063726CE
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063797B8	12_2_063797B8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0637A45B	12_2_0637A45B
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063784D3	12_2_063784D3
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0637457A	12_2_0637457A
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06375280	12_2_06375280
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063733F0	12_2_063733F0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063763E0	12_2_063763E0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06370006	12_2_06370006
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063740F8	12_2_063740F8
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06379168	12_2_06379168
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063771E7	12_2_063771E7
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06374E28	12_2_06374E28
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06379E08	12_2_06379E08
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06377E88	12_2_06377E88
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06375F91	12_2_06375F91
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06372F9A	12_2_06372F9A
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06373CA0	12_2_06373CA0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0637AAA0	12_2_0637AAA0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06375B30	12_2_06375B30
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06378B18	12_2_06378B18
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_06372B40	12_2_06372B40
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0637783B	12_2_0637783B
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0637384A	12_2_0637384A
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063708F0	12_2_063708F0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063708E0	12_2_063708E0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_063749CF	12_2_063749CF

Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe "C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe"
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process created: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process created: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process created: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process created: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Jump to behavior

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@3/4

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.444077789.0000000005D94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ctions.slnt
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.443265911.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.443927734.0000000005D93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Digitized data copyright The Monotype Corporation 1991-1995. All rights reserved. Forte"! is a trademark of The Monotype Corporation which may be registered in certain jurisdictions.slnt

Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, A?u05c9t?/uf0b9????.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, ufffd?ufffdu002d?/??O?ufffd.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0637C491 push es; retf	12_2_0637C498
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0637C499 push es; retf	12_2_0637C4A0
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0637C345 push es; retf	12_2_0637C370
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Code function: 12_2_0637C3ED push es; retf	12_2_0637C408

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe TID: 6628	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe TID: 6980	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.515646321.0000000004453000.00000004.00000800.00020000.00000000.sdmp, #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.513241594.0000000003FD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: zUVc1ejHT3RhQemUCX6
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.513241594.0000000003FD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PVmCipS9JnDy4tjBnLe

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Code function: 12_2_0107C1D7 LdrInitializeThunk,

12_2_0107C1D7

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, ufffd?ufffdu002d?/??O?ufffd.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, ?k??u0026/u05c1????.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Memory written: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process created: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe			Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Process created: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe			Jump to behavior

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.526726543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.524451253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.530066001.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.689828569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.526726543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.524451253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.530066001.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.689828569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 6836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 4640, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.526726543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.524451253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.530066001.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.689828569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 6836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 4640, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.526726543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.524451253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.530066001.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.689828569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f6a550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe.3f92570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.531878391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.526726543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.524451253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.530066001.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.689828569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 6836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe PID: 4640, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Binary or memory string: OriginalFilename vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.515646321.0000000004453000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWwbdnvvolfbirihtyyivrufy.dll" vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000003.513241594.0000000003FD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWwbdnvvolfbirihtyyivrufy.dll" vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.535737218.0000000003F92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameiJMJnUDAnLMGBkvrphkwZ.exeL vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000000.421562813.0000000000B12000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameorderfile.exe4 vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.534894681.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.535095631.0000000003032000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameiJMJnUDAnLMGBkvrphkwZ.exeL vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 00000000.00000002.535443771.0000000003F31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameiJMJnUDAnLMGBkvrphkwZ.exeL vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Binary or memory string: OriginalFilename vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000B.00000000.519041673.0000000000312000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameorderfile.exe4 vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Binary or memory string: OriginalFilename vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000000.523721149.0000000000862000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameorderfile.exe4 vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000000.526745149.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameiJMJnUDAnLMGBkvrphkwZ.exeL vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe, 0000000C.00000002.690109678.00000000009F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe
Source: #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Binary or memory string: OriginalFilenameorderfile.exe4 vs #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe