Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fao37nt7gY.exe

Overview

General Information

Sample Name:fao37nt7gY.exe
Analysis ID:652385
MD5:91588814db24dfa4c564f5379612f43f
SHA1:7cacd0d8fea4635158e42a6edd33fda288aae492
SHA256:45683622f38425de1a6c808e52245b68331d1ac0fe430d9dd769ae746929b812
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • fao37nt7gY.exe (PID: 6408 cmdline: "C:\Users\user\Desktop\fao37nt7gY.exe" MD5: 91588814DB24DFA4C564F5379612F43F)
    • fao37nt7gY.exe (PID: 6712 cmdline: C:\Users\user\Desktop\fao37nt7gY.exe MD5: 91588814DB24DFA4C564F5379612F43F)
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "myreportlog@valete.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "myreport@valete.buzz"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x173b0:$x1: $%SMTPDV$
        • 0x173c6:$x2: $#TheHashHere%&
        • 0x18760:$x3: %FTPDV$
        • 0x18828:$x4: $%TelegramDv$
        • 0x14cf7:$x5: KeyLoggerEventArgs
        • 0x1508d:$x5: KeyLoggerEventArgs
        • 0x187d0:$m1: | Snake Keylogger
        • 0x18888:$m1: | Snake Keylogger
        • 0x189dc:$m1: | Snake Keylogger
        • 0x18b02:$m1: | Snake Keylogger
        • 0x18c5c:$m1: | Snake Keylogger
        • 0x18784:$m2: Clipboard Logs ID
        • 0x18992:$m2: Screenshot Logs ID
        • 0x18aa6:$m2: keystroke Logs ID
        • 0x18c92:$m3: SnakePW
        • 0x1896a:$m4: \SnakeKeylogger\
        00000004.00000000.288871378.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 27 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.fao37nt7gY.exe.41f7220.9.raw.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x3cd06:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x5c926:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x7c346:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x3beef:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x5bb0f:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x7b52f:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x3c336:$a4: \Orbitum\User Data\Default\Login Data
          • 0x5bf56:$a4: \Orbitum\User Data\Default\Login Data
          • 0x7b976:$a4: \Orbitum\User Data\Default\Login Data
          • 0x3d4b7:$a5: \Kometa\User Data\Default\Login Data
          • 0x5d0d7:$a5: \Kometa\User Data\Default\Login Data
          • 0x7caf7:$a5: \Kometa\User Data\Default\Login Data
          0.2.fao37nt7gY.exe.41f7220.9.raw.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.fao37nt7gY.exe.41f7220.9.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              0.2.fao37nt7gY.exe.41f7220.9.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.2.fao37nt7gY.exe.41f7220.9.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 73 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.3132.226.247.7349740802842536 06/26/22-09:33:58.586019
                  SID:2842536
                  Source Port:49740
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: fao37nt7gY.exeVirustotal: Detection: 36%Perma Link
                  Source: fao37nt7gY.exeReversingLabs: Detection: 61%
                  Antivirus / Scanner detection for submitted sample
                  Source: fao37nt7gY.exeAvira: detected
                  Machine Learning detection for sample
                  Source: fao37nt7gY.exeJoe Sandbox ML: detected
                  Source: 4.0.fao37nt7gY.exe.400000.8.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 4.0.fao37nt7gY.exe.400000.4.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 4.0.fao37nt7gY.exe.400000.10.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 4.0.fao37nt7gY.exe.400000.6.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 4.0.fao37nt7gY.exe.400000.12.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 4.2.fao37nt7gY.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 4.0.fao37nt7gY.exe.400000.8.unpackMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "myreportlog@valete.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "myreport@valete.buzz"}
                  Source: fao37nt7gY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: fao37nt7gY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010F63D1h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010F7DC7h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010FFDE9h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010F8687h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010F7507h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010FF539h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010F5F70h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010FEC8Ah
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010F8227h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010FF0E1h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010F7967h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010FF991h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010F6B10h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010F6B10h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 010F6B10h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 05510741h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 055102E9h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 05510B99h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060DE0A9h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D48D1h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D7CF1h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D4D29h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060DE529h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D8149h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D5181h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060DE981h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D85A1h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D55D9h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060DEDD9h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D89F9h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D5A31h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060DF231h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D5E89h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060DF689h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D62E1h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060DFAE1h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D3319h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D6739h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D3771h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D6B91h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D3BC9h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D6FE9h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D4021h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D7441h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D4479h
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4x nop then jmp 060D7899h

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.3:49740 -> 132.226.247.73:80
                  May check the online IP address of the machine
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeDNS query: name: checkip.dyndns.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.41f7220.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.26c097c.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4218c40.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.fao37nt7gY.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4238860.10.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewASN Name: UTMEMUS UTMEMUS
                  Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: fao37nt7gY.exe, 00000004.00000002.529650451.0000000002C86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: fao37nt7gY.exe, 00000004.00000002.529650451.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000004.00000002.529630640.0000000002C76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: fao37nt7gY.exe, 00000004.00000002.529514013.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: fao37nt7gY.exe, 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: fao37nt7gY.exe, 00000004.00000002.529630640.0000000002C76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org4
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: fao37nt7gY.exe, 00000004.00000002.529514013.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC
                  Source: fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC1
                  Source: fao37nt7gY.exe, 00000000.00000003.266914694.0000000007984000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.266977576.0000000007984000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comX
                  Source: fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comatt
                  Source: fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comd
                  Source: fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comes
                  Source: fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comig
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comltx
                  Source: fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.266977576.0000000007984000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
                  Source: fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comp
                  Source: fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comtYn
                  Source: fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comue
                  Source: fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.266977576.0000000007984000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comva
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: fao37nt7gY.exe, 00000000.00000003.271984837.0000000007987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: fao37nt7gY.exe, 00000000.00000003.271984837.0000000007987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersM
                  Source: fao37nt7gY.exe, 00000000.00000003.270851595.0000000007987000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.270778400.0000000007987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                  Source: fao37nt7gY.exe, 00000000.00000002.299020477.000000000797D000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292492176.000000000797C000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292420681.0000000007970000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                  Source: fao37nt7gY.exe, 00000000.00000002.299020477.000000000797D000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292492176.000000000797C000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292420681.0000000007970000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                  Source: fao37nt7gY.exe, 00000000.00000002.299020477.000000000797D000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292492176.000000000797C000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292420681.0000000007970000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come.com
                  Source: fao37nt7gY.exe, 00000000.00000002.299020477.000000000797D000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292492176.000000000797C000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292420681.0000000007970000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comion
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: fao37nt7gY.exe, 00000000.00000003.266130194.000000000799F000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.266100232.0000000007980000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.266214839.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: fao37nt7gY.exe, 00000000.00000003.266207544.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnTYe
                  Source: fao37nt7gY.exe, 00000000.00000003.266207544.00000000079A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnlYc
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: fao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cv=v
                  Source: fao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//h
                  Source: fao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6h5Yi
                  Source: fao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.268152037.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
                  Source: fao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.268152037.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267809936.0000000007974000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Ih
                  Source: fao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Ph
                  Source: fao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/eh
                  Source: fao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.268152037.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: fao37nt7gY.exe, 00000000.00000003.268152037.000000000797B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp//h
                  Source: fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/6h5Yi
                  Source: fao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.268152037.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lh
                  Source: fao37nt7gY.exe, 00000000.00000003.268152037.000000000797B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ueo-cv=v
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: fao37nt7gY.exe, 00000000.00000003.266914694.0000000007984000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.266977576.0000000007984000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnltx
                  Source: fao37nt7gY.exe, 00000000.00000003.266914694.0000000007984000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                  Source: fao37nt7gY.exe, 00000000.00000003.266914694.0000000007984000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnva
                  Source: fao37nt7gY.exe, 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: fao37nt7gY.exeString found in binary or memory: https://picsum.photos/80
                  Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.fao37nt7gY.exe.41f7220.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.fao37nt7gY.exe.41f7220.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.fao37nt7gY.exe.41f7220.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.fao37nt7gY.exe.4218c40.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.fao37nt7gY.exe.4218c40.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.fao37nt7gY.exe.4218c40.8.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 4.0.fao37nt7gY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 4.0.fao37nt7gY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 4.0.fao37nt7gY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 4.0.fao37nt7gY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 4.0.fao37nt7gY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 4.0.fao37nt7gY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 4.0.fao37nt7gY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 4.0.fao37nt7gY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 4.0.fao37nt7gY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 4.0.fao37nt7gY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 4.0.fao37nt7gY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 4.0.fao37nt7gY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 4.0.fao37nt7gY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 4.0.fao37nt7gY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 4.0.fao37nt7gY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.fao37nt7gY.exe.4238860.10.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.fao37nt7gY.exe.4238860.10.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.fao37nt7gY.exe.4238860.10.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.fao37nt7gY.exe.26c097c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                  Source: 0.2.fao37nt7gY.exe.4218c40.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.fao37nt7gY.exe.4218c40.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.fao37nt7gY.exe.4218c40.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 4.2.fao37nt7gY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 4.2.fao37nt7gY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 4.2.fao37nt7gY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.fao37nt7gY.exe.4238860.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.fao37nt7gY.exe.4238860.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.fao37nt7gY.exe.4238860.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000004.00000000.288871378.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000004.00000002.527545440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000004.00000000.286522251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000004.00000000.285660000.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: fao37nt7gY.exe PID: 6408, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: fao37nt7gY.exe PID: 6712, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: fao37nt7gY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.fao37nt7gY.exe.41f7220.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.fao37nt7gY.exe.41f7220.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.fao37nt7gY.exe.41f7220.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.fao37nt7gY.exe.4218c40.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.fao37nt7gY.exe.4218c40.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.fao37nt7gY.exe.4218c40.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 4.0.fao37nt7gY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 4.0.fao37nt7gY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 4.0.fao37nt7gY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 4.0.fao37nt7gY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 4.0.fao37nt7gY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 4.0.fao37nt7gY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 4.0.fao37nt7gY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 4.0.fao37nt7gY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 4.0.fao37nt7gY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 4.0.fao37nt7gY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 4.0.fao37nt7gY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 4.0.fao37nt7gY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 4.0.fao37nt7gY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 4.0.fao37nt7gY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 4.0.fao37nt7gY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.fao37nt7gY.exe.4238860.10.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.fao37nt7gY.exe.4238860.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.fao37nt7gY.exe.4238860.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.fao37nt7gY.exe.26c097c.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                  Source: 0.2.fao37nt7gY.exe.4218c40.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.fao37nt7gY.exe.4218c40.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.fao37nt7gY.exe.4218c40.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 4.2.fao37nt7gY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 4.2.fao37nt7gY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 4.2.fao37nt7gY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.fao37nt7gY.exe.4238860.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.fao37nt7gY.exe.4238860.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.fao37nt7gY.exe.4238860.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000004.00000000.288871378.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000004.00000002.527545440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000004.00000000.286522251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000004.00000000.285660000.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: fao37nt7gY.exe PID: 6408, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: fao37nt7gY.exe PID: 6712, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 0_2_0022A9C9
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 0_2_091E015C
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 0_2_091E3188
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 0_2_091E0448
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 0_2_091E6938
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 0_2_091E6927
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 0_2_091E6BD8
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 0_2_091E6BC8
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 0_2_091E0438
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 0_2_091E1790
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 0_2_0022735B
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_007DA9C9
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010F6111
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010F7B08
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010FFB30
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010F6B88
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010F83C9
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010F7230
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010FF280
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010F5587
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010FA45A
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010FE758
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010F7F68
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010FEE28
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010F76A8
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010FF6D8
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010F6B78
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010F4A98
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010F4AA8
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010FDFD0
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010FDFE0
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05510498
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05510488
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05510040
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05510006
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05514318
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_0551430A
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05512398
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05512388
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05514F9F
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05514FB0
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05514959
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05514968
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_055129CF
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_055129E0
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_055108F0
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_055108E0
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05513678
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05513668
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_055116F8
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_055116EA
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05513018
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05513028
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05511D48
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05511D38
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05513CC8
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_05513CB9
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060DDE00
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D4628
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D7A48
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D4A80
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060DE280
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D7EA0
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D4ED8
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060DE6D8
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D82F8
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D5330
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060DEB30
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D8750
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060DB770
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D5788
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060DEF88
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060DC398
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D8BA8
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D5BE0
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060DF3E0
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D6038
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060DF838
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D0040
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D3070
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060DD098
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D6490
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D34C8
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D68E8
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D3920
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D6D40
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D3D78
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D7198
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D41D0
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D75F0
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_060D4619
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_007D735B
                  Source: fao37nt7gY.exe, 00000000.00000002.299876678.0000000009210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNativeVariant.dll" vs fao37nt7gY.exe
                  Source: fao37nt7gY.exe, 00000000.00000002.294124707.00000000026B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNativeVariant.dll" vs fao37nt7gY.exe
                  Source: fao37nt7gY.exe, 00000000.00000002.294124707.00000000026B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs fao37nt7gY.exe
                  Source: fao37nt7gY.exe, 00000000.00000002.294029470.0000000002668000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloneHelper.dll4 vs fao37nt7gY.exe
                  Source: fao37nt7gY.exe, 00000000.00000002.299891346.0000000009360000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTweenEngineAPI.dllD vs fao37nt7gY.exe
                  Source: fao37nt7gY.exe, 00000000.00000000.255294182.0000000000238000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAnsiBSTRMarsha.exe> vs fao37nt7gY.exe
                  Source: fao37nt7gY.exe, 00000000.00000002.295529801.0000000003F8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTweenEngineAPI.dllD vs fao37nt7gY.exe
                  Source: fao37nt7gY.exe, 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs fao37nt7gY.exe
                  Source: fao37nt7gY.exe, 00000004.00000000.287949376.00000000007E8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAnsiBSTRMarsha.exe> vs fao37nt7gY.exe
                  Source: fao37nt7gY.exe, 00000004.00000000.289303539.0000000000422000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs fao37nt7gY.exe
                  Source: fao37nt7gY.exe, 00000004.00000002.528553222.0000000000B77000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs fao37nt7gY.exe
                  Source: fao37nt7gY.exe, 00000004.00000002.528818792.0000000000EAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs fao37nt7gY.exe
                  Source: fao37nt7gY.exeBinary or memory string: OriginalFilenameAnsiBSTRMarsha.exe> vs fao37nt7gY.exe
                  Source: fao37nt7gY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: fao37nt7gY.exeVirustotal: Detection: 36%
                  Source: fao37nt7gY.exeReversingLabs: Detection: 61%
                  Source: fao37nt7gY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\fao37nt7gY.exe "C:\Users\user\Desktop\fao37nt7gY.exe"
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess created: C:\Users\user\Desktop\fao37nt7gY.exe C:\Users\user\Desktop\fao37nt7gY.exe
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess created: C:\Users\user\Desktop\fao37nt7gY.exe C:\Users\user\Desktop\fao37nt7gY.exe
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fao37nt7gY.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                  Source: fao37nt7gY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: 4.0.fao37nt7gY.exe.400000.8.unpack, u05c1????/??ufffd??.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 4.0.fao37nt7gY.exe.400000.8.unpack, U????/??Z??.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.0.fao37nt7gY.exe.400000.4.unpack, u05c1????/??ufffd??.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 4.0.fao37nt7gY.exe.400000.4.unpack, U????/??Z??.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.0.fao37nt7gY.exe.400000.10.unpack, u05c1????/??ufffd??.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 4.0.fao37nt7gY.exe.400000.10.unpack, U????/??Z??.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.0.fao37nt7gY.exe.400000.6.unpack, u05c1????/??ufffd??.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: fao37nt7gY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: fao37nt7gY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 0_2_091E5FF4 push E803F8D5h; ret
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 0_2_091E6626 push ss; retf
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010F1B69 push 8BFFFFFFh; retf
                  Source: fao37nt7gY.exeStatic PE information: 0xC17ACC50 [Fri Nov 11 00:39:44 2072 UTC]
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.898848371541667
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.26c097c.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.294124707.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fao37nt7gY.exe PID: 6408, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: fao37nt7gY.exe, 00000000.00000002.294124707.00000000026B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: fao37nt7gY.exe, 00000000.00000002.294124707.00000000026B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Source: C:\Users\user\Desktop\fao37nt7gY.exe TID: 6500Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeThread delayed: delay time: 922337203685477
                  Source: fao37nt7gY.exe, 00000000.00000002.294124707.00000000026B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: fao37nt7gY.exe, 00000000.00000002.294124707.00000000026B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: fao37nt7gY.exe, 00000000.00000002.294124707.00000000026B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: fao37nt7gY.exe, 00000004.00000002.528856707.0000000000ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: fao37nt7gY.exe, 00000000.00000002.294124707.00000000026B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeCode function: 4_2_010F6B88 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 4.0.fao37nt7gY.exe.400000.8.unpack, U????/??Z??.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 4.0.fao37nt7gY.exe.400000.8.unpack, ????A/u0032u060cufffd??.csReference to suspicious API methods: ('???A?', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
                  Source: 4.0.fao37nt7gY.exe.400000.4.unpack, U????/??Z??.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 4.0.fao37nt7gY.exe.400000.4.unpack, ????A/u0032u060cufffd??.csReference to suspicious API methods: ('???A?', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
                  Source: 4.0.fao37nt7gY.exe.400000.10.unpack, U????/??Z??.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 4.0.fao37nt7gY.exe.400000.10.unpack, ????A/u0032u060cufffd??.csReference to suspicious API methods: ('???A?', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
                  Source: 4.0.fao37nt7gY.exe.400000.6.unpack, U????/??Z??.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 4.0.fao37nt7gY.exe.400000.6.unpack, ????A/u0032u060cufffd??.csReference to suspicious API methods: ('???A?', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
                  Source: 4.0.fao37nt7gY.exe.400000.12.unpack, U????/??Z??.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 4.0.fao37nt7gY.exe.400000.12.unpack, ????A/u0032u060cufffd??.csReference to suspicious API methods: ('???A?', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
                  Source: 4.2.fao37nt7gY.exe.400000.0.unpack, U????/??Z??.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 4.2.fao37nt7gY.exe.400000.0.unpack, ????A/u0032u060cufffd??.csReference to suspicious API methods: ('???A?', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeMemory written: C:\Users\user\Desktop\fao37nt7gY.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeProcess created: C:\Users\user\Desktop\fao37nt7gY.exe C:\Users\user\Desktop\fao37nt7gY.exe
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Users\user\Desktop\fao37nt7gY.exe VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Users\user\Desktop\fao37nt7gY.exe VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.41f7220.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4218c40.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4238860.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4218c40.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.fao37nt7gY.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4238860.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.288871378.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.527545440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.286522251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.285660000.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.41f7220.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4218c40.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4238860.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4218c40.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.fao37nt7gY.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4238860.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.288871378.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.527545440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.286522251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.285660000.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fao37nt7gY.exe PID: 6408, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fao37nt7gY.exe PID: 6712, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\fao37nt7gY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.41f7220.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4218c40.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4238860.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4218c40.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.fao37nt7gY.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4238860.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.288871378.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.527545440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.286522251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.285660000.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fao37nt7gY.exe PID: 6408, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fao37nt7gY.exe PID: 6712, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.41f7220.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4218c40.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4238860.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4218c40.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.fao37nt7gY.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4238860.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.288871378.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.527545440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.286522251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.285660000.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.41f7220.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4218c40.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.fao37nt7gY.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4238860.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4218c40.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.fao37nt7gY.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fao37nt7gY.exe.4238860.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.288871378.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.527545440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.286522251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.285660000.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fao37nt7gY.exe PID: 6408, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fao37nt7gY.exe PID: 6712, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts1
                  Native API                  		Path Interception111
                  Process Injection                  		1
                  Masquerading                  		2
                  OS Credential Dumping                  		11
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		Exfiltration Over Bluetooth1
                  Ingress Tool Transfer                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                  Virtualization/Sandbox Evasion                  		Security Account Manager21
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares2
                  Data from Local System                  		Automated Exfiltration2
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                  Process Injection                  		NTDS1
                  Remote System Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer12
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common3
                  Obfuscated Files or Information                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                  Software Packing                  		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  Timestomp                  		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  fao37nt7gY.exe36%VirustotalBrowse
                  fao37nt7gY.exe62%ReversingLabsByteCode-MSIL.Spyware.SnakeLogger
                  fao37nt7gY.exe100%AviraHEUR/AGEN.1202539
                  fao37nt7gY.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  4.0.fao37nt7gY.exe.760000.2.unpack100%AviraHEUR/AGEN.1202539Download File
                  0.0.fao37nt7gY.exe.1b0000.0.unpack100%AviraHEUR/AGEN.1202539Download File
                  4.0.fao37nt7gY.exe.760000.5.unpack100%AviraHEUR/AGEN.1202539Download File
                  4.0.fao37nt7gY.exe.400000.8.unpack100%AviraTR/ATRAPS.GenDownload File
                  4.0.fao37nt7gY.exe.760000.9.unpack100%AviraHEUR/AGEN.1202539Download File
                  4.0.fao37nt7gY.exe.400000.4.unpack100%AviraTR/ATRAPS.GenDownload File
                  4.2.fao37nt7gY.exe.760000.1.unpack100%AviraHEUR/AGEN.1202539Download File
                  4.0.fao37nt7gY.exe.760000.7.unpack100%AviraHEUR/AGEN.1202539Download File
                  0.2.fao37nt7gY.exe.1b0000.0.unpack100%AviraHEUR/AGEN.1202539Download File
                  4.0.fao37nt7gY.exe.400000.10.unpack100%AviraTR/ATRAPS.GenDownload File
                  4.0.fao37nt7gY.exe.400000.6.unpack100%AviraTR/ATRAPS.GenDownload File
                  4.0.fao37nt7gY.exe.760000.0.unpack100%AviraHEUR/AGEN.1202539Download File
                  4.0.fao37nt7gY.exe.760000.13.unpack100%AviraHEUR/AGEN.1202539Download File
                  4.0.fao37nt7gY.exe.400000.12.unpack100%AviraTR/ATRAPS.GenDownload File
                  4.0.fao37nt7gY.exe.760000.11.unpack100%AviraHEUR/AGEN.1202539Download File
                  4.0.fao37nt7gY.exe.760000.3.unpack100%AviraHEUR/AGEN.1202539Download File
                  4.2.fao37nt7gY.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                  4.0.fao37nt7gY.exe.760000.1.unpack100%AviraHEUR/AGEN.1202539Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.carterandcone.comes0%URL Reputationsafe
                  http://www.carterandcone.comva0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/Ph0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp//h0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/eh0%Avira URL Cloudsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://checkip.dyndns.org40%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/-cv=v0%Avira URL Cloudsafe
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  http://www.carterandcone.comue0%URL Reputationsafe
                  http://www.carterandcone.comtYn0%Avira URL Cloudsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/6h5Yi0%Avira URL Cloudsafe
                  http://www.carterandcone.comTC10%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.carterandcone.comatt0%Avira URL Cloudsafe
                  http://www.zhongyicts.com.cnltx0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/lh0%Avira URL Cloudsafe
                  http://checkip.dyndns.com0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.carterandcone.como.0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.carterandcone.comig0%Avira URL Cloudsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.carterandcone.comd0%URL Reputationsafe
                  http://www.carterandcone.comTC0%URL Reputationsafe
                  http://www.carterandcone.comX0%URL Reputationsafe
                  http://www.carterandcone.comp0%URL Reputationsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  http://www.fontbureau.comion0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://www.fontbureau.coma0%URL Reputationsafe
                  http://www.fontbureau.come.com0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.comltx0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/6h5Yi0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cnva0%URL Reputationsafe
                  http://www.founder.com.cn/cnTYe0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.zhongyicts.com.cno.0%URL Reputationsafe
                  http://www.founder.com.cn/cnlYc0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/ueo-cv=v0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/Ih0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/jp//h0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  checkip.dyndns.com
                  		132.226.247.73
                  		truetrue
                    		unknown
                    checkip.dyndns.org
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/true
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.fontbureau.com/designersGfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersMfao37nt7gY.exe, 00000000.00000003.271984837.0000000007987000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bThefao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.org/botfao37nt7gY.exe, 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              http://www.carterandcone.comesfao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.carterandcone.comvafao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.266977576.0000000007984000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Phfao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersfao37nt7gY.exe, 00000000.00000003.271984837.0000000007987000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp//hfao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.goodfont.co.krfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comfao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/ehfao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.comfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://checkip.dyndns.org4fao37nt7gY.exe, 00000004.00000002.529630640.0000000002C76000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cThefao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/8fao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.268152037.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/-cv=vfao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comuefao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comtYnfao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://checkip.dyndns.org/qfao37nt7gY.exe, 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/6h5Yifao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comTC1fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleasefao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comattfao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnltxfao37nt7gY.exe, 00000000.00000003.266914694.0000000007984000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.266977576.0000000007984000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/lhfao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.268152037.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://checkip.dyndns.comfao37nt7gY.exe, 00000004.00000002.529650451.0000000002C86000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleasefao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefao37nt7gY.exe, 00000004.00000002.529514013.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.carterandcone.como.fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.266977576.0000000007984000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designerspfao37nt7gY.exe, 00000000.00000003.270851595.0000000007987000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.270778400.0000000007987000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sakkal.comfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comigfao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.comfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.comFfao37nt7gY.exe, 00000000.00000002.299020477.000000000797D000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292492176.000000000797C000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292420681.0000000007970000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comdfao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comTCfao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comXfao37nt7gY.exe, 00000000.00000003.266914694.0000000007984000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.266977576.0000000007984000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.compfao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267207178.000000000797E000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267165935.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://checkip.dyndns.orgfao37nt7gY.exe, 00000004.00000002.529650451.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000004.00000002.529630640.0000000002C76000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comionfao37nt7gY.exe, 00000000.00000002.299020477.000000000797D000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292492176.000000000797C000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292420681.0000000007970000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/fao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.268152037.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comafao37nt7gY.exe, 00000000.00000002.299020477.000000000797D000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292492176.000000000797C000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292420681.0000000007970000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.come.comfao37nt7gY.exe, 00000000.00000002.299020477.000000000797D000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292492176.000000000797C000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.292420681.0000000007970000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comlfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.carterandcone.comltxfao37nt7gY.exe, 00000000.00000003.267236465.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/6h5Yifao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.founder.com.cn/cnfao37nt7gY.exe, 00000000.00000003.266130194.000000000799F000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.266100232.0000000007980000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.266214839.000000000797E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmlfao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.zhongyicts.com.cnvafao37nt7gY.exe, 00000000.00000003.266914694.0000000007984000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cnTYefao37nt7gY.exe, 00000000.00000003.266207544.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cno.fao37nt7gY.exe, 00000000.00000003.266914694.0000000007984000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8fao37nt7gY.exe, 00000000.00000002.299237648.0000000008B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://picsum.photos/80fao37nt7gY.exefalse
                                                    		high
                                                    http://www.founder.com.cn/cnlYcfao37nt7gY.exe, 00000000.00000003.266207544.00000000079A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/ueo-cv=vfao37nt7gY.exe, 00000000.00000003.268152037.000000000797B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/Ihfao37nt7gY.exe, 00000000.00000003.268692530.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.268152037.000000000797B000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.267809936.0000000007974000.00000004.00000800.00020000.00000000.sdmp, fao37nt7gY.exe, 00000000.00000003.269235128.000000000797A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/jp//hfao37nt7gY.exe, 00000000.00000003.268152037.000000000797B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    132.226.247.73
                                                    		checkip.dyndns.comUnited States
                                                    		16989UTMEMUStrue

                                                    General Information

                                                    Joe Sandbox Version:35.0.0 Citrine
                                                    Analysis ID:652385
                                                    Start date and time: 26/06/202209:32:302022-06-26 09:32:30 +02:00
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 10m 11s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:fao37nt7gY.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:23
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HDC Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 97%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Adjust boot time
                                                    • Enable AMSI

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                    • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    09:33:47API Interceptor1x Sleep call for process: fao37nt7gY.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASNs

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fao37nt7gY.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\fao37nt7gY.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.355304211458859
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.892275827052916
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:fao37nt7gY.exe
                                                    File size:545280
                                                    MD5:91588814db24dfa4c564f5379612f43f
                                                    SHA1:7cacd0d8fea4635158e42a6edd33fda288aae492
                                                    SHA256:45683622f38425de1a6c808e52245b68331d1ac0fe430d9dd769ae746929b812
                                                    SHA512:3c35d09ec361a0cd359d2332c49cc1adf99bb773a24efc415906d9fba2c3db997cce5ecbed9239493ce7f745c65e2bd18acd6fc21a34d4740fbde3d1fe9f33dc
                                                    SSDEEP:12288:skMzTq4jV4L1aH125p7PK1jMvlJOeZemkTJjCJ073zREn1:QzTqYVm1e127PK1jMvXEmk12G7
                                                    TLSH:79C4DFAC311076EFC85BC5729AA82C64EB6074BB431B9213A02715ED9E4DAD7CF254F3
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.z...............0..J...........i... ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x48691e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0xC17ACC50 [Fri Nov 11 00:39:44 2072 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x868cc0x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x3b8.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x849240x84a00False0.9224898385956645data7.898848371541667IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x880000x3b80x400False0.392578125data3.004757213118269IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x8a0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0x880580x35cdata

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    192.168.2.3132.226.247.7349740802842536 06/26/22-09:33:58.586019TCP2842536ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check4974080192.168.2.3132.226.247.73

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jun 26, 2022 09:33:58.354314089 CEST4974080192.168.2.3132.226.247.73
                                                    Jun 26, 2022 09:33:58.585334063 CEST8049740132.226.247.73192.168.2.3
                                                    Jun 26, 2022 09:33:58.585561037 CEST4974080192.168.2.3132.226.247.73
                                                    Jun 26, 2022 09:33:58.586019039 CEST4974080192.168.2.3132.226.247.73
                                                    Jun 26, 2022 09:33:58.817984104 CEST8049740132.226.247.73192.168.2.3
                                                    Jun 26, 2022 09:33:58.818480968 CEST8049740132.226.247.73192.168.2.3
                                                    Jun 26, 2022 09:33:58.873130083 CEST4974080192.168.2.3132.226.247.73
                                                    Jun 26, 2022 09:35:03.830621958 CEST8049740132.226.247.73192.168.2.3
                                                    Jun 26, 2022 09:35:03.831502914 CEST4974080192.168.2.3132.226.247.73
                                                    Jun 26, 2022 09:35:38.836586952 CEST4974080192.168.2.3132.226.247.73
                                                    Jun 26, 2022 09:35:39.070370913 CEST8049740132.226.247.73192.168.2.3

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jun 26, 2022 09:33:58.278239012 CEST6485153192.168.2.38.8.8.8
                                                    Jun 26, 2022 09:33:58.296936989 CEST53648518.8.8.8192.168.2.3
                                                    Jun 26, 2022 09:33:58.311875105 CEST4931653192.168.2.38.8.8.8
                                                    Jun 26, 2022 09:33:58.333462954 CEST53493168.8.8.8192.168.2.3

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Jun 26, 2022 09:33:58.278239012 CEST192.168.2.38.8.8.80x2dadStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                    Jun 26, 2022 09:33:58.311875105 CEST192.168.2.38.8.8.80xa32eStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Jun 26, 2022 09:33:58.296936989 CEST8.8.8.8192.168.2.30x2dadNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                    Jun 26, 2022 09:33:58.296936989 CEST8.8.8.8192.168.2.30x2dadNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                                    Jun 26, 2022 09:33:58.296936989 CEST8.8.8.8192.168.2.30x2dadNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                                                    Jun 26, 2022 09:33:58.296936989 CEST8.8.8.8192.168.2.30x2dadNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                                                    Jun 26, 2022 09:33:58.296936989 CEST8.8.8.8192.168.2.30x2dadNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                                    Jun 26, 2022 09:33:58.296936989 CEST8.8.8.8192.168.2.30x2dadNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                                    Jun 26, 2022 09:33:58.333462954 CEST8.8.8.8192.168.2.30xa32eNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                    Jun 26, 2022 09:33:58.333462954 CEST8.8.8.8192.168.2.30xa32eNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                                                    Jun 26, 2022 09:33:58.333462954 CEST8.8.8.8192.168.2.30xa32eNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                                    Jun 26, 2022 09:33:58.333462954 CEST8.8.8.8192.168.2.30xa32eNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                                    Jun 26, 2022 09:33:58.333462954 CEST8.8.8.8192.168.2.30xa32eNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                                    Jun 26, 2022 09:33:58.333462954 CEST8.8.8.8192.168.2.30xa32eNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)

                                                    HTTP Request Dependency Graph

                                                    • checkip.dyndns.org

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    0192.168.2.349740132.226.247.7380C:\Users\user\Desktop\fao37nt7gY.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Jun 26, 2022 09:33:58.586019039 CEST1128OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Jun 26, 2022 09:33:58.818480968 CEST1129INHTTP/1.1 200 OK
                                                    Date: Sun, 26 Jun 2022 07:33:58 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 106
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 36 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.143.61</body></html>


                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:09:33:36
                                                    Start date:26/06/2022
                                                    Path:C:\Users\user\Desktop\fao37nt7gY.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\fao37nt7gY.exe"
                                                    Imagebase:0x1b0000
                                                    File size:545280 bytes
                                                    MD5 hash:91588814DB24DFA4C564F5379612F43F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.294124707.00000000026B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.296300274.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low

                                                    General

                                                    Target ID:4
                                                    Start time:09:33:49
                                                    Start date:26/06/2022
                                                    Path:C:\Users\user\Desktop\fao37nt7gY.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\fao37nt7gY.exe
                                                    Imagebase:0x760000
                                                    File size:545280 bytes
                                                    MD5 hash:91588814DB24DFA4C564F5379612F43F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000000.291271149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000000.288871378.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000000.288871378.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.288871378.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000000.288871378.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.527545440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.527545440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.527545440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.527545440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000000.286522251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000000.286522251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.286522251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000000.286522251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000000.285660000.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000000.285660000.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.285660000.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000000.285660000.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low

                                                    Disassembly

                                                    No disassembly