Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bh4BVURVUr.exe

Overview

General Information

Sample Name:bh4BVURVUr.exe
Analysis ID:652392
MD5:146c170d7ad83ed8302a01081326bcdd
SHA1:c5849331066878e36bbab16b9117b5abe043f1de
SHA256:fe8f94b75b067dfa0fb373ea8c05c4c18dbaec41cf83b2de27a02740ad6f43c2
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • bh4BVURVUr.exe (PID: 6944 cmdline: "C:\Users\user\Desktop\bh4BVURVUr.exe" MD5: 146C170D7AD83ED8302A01081326BCDD)
    • bh4BVURVUr.exe (PID: 6364 cmdline: C:\Users\user\Desktop\bh4BVURVUr.exe MD5: 146C170D7AD83ED8302A01081326BCDD)
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "yugolog@gthltd.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "yugo@gthltd.buzz"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x173ac:$x1: $%SMTPDV$
        • 0x173c2:$x2: $#TheHashHere%&
        • 0x1874c:$x3: %FTPDV$
        • 0x18814:$x4: $%TelegramDv$
        • 0x14d0b:$x5: KeyLoggerEventArgs
        • 0x150a1:$x5: KeyLoggerEventArgs
        • 0x187bc:$m1: | Snake Keylogger
        • 0x18874:$m1: | Snake Keylogger
        • 0x189c8:$m1: | Snake Keylogger
        • 0x18aee:$m1: | Snake Keylogger
        • 0x18c48:$m1: | Snake Keylogger
        • 0x18770:$m2: Clipboard Logs ID
        • 0x1897e:$m2: Screenshot Logs ID
        • 0x18a92:$m2: keystroke Logs ID
        • 0x18c7e:$m3: SnakePW
        • 0x18956:$m4: \SnakeKeylogger\
        00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 31 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.0.bh4BVURVUr.exe.400000.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x1b2d2:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x1a4bb:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x1a902:$a4: \Orbitum\User Data\Default\Login Data
          • 0x1ba83:$a5: \Kometa\User Data\Default\Login Data
          6.0.bh4BVURVUr.exe.400000.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            6.0.bh4BVURVUr.exe.400000.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              6.0.bh4BVURVUr.exe.400000.4.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                6.0.bh4BVURVUr.exe.400000.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 70 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.5132.226.8.16949772802842536 06/26/22-09:45:10.882218
                  SID:2842536
                  Source Port:49772
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: bh4BVURVUr.exeVirustotal: Detection: 34%Perma Link
                  Source: bh4BVURVUr.exeReversingLabs: Detection: 27%
                  Machine Learning detection for sample
                  Source: bh4BVURVUr.exeJoe Sandbox ML: detected
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpackMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "yugolog@gthltd.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "yugo@gthltd.buzz"}
                  Source: bh4BVURVUr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: bh4BVURVUr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 014763D1h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01477507h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01478687h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 0147F539h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01475F70h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 0147EC8Ah
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 0147F991h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01476B10h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01477967h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01477DC7h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 0147FDE9h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01478227h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 0147F0E1h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01476B10h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01476B10h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 05610741h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 056102E9h
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 05610B99h

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.5:49772 -> 132.226.8.169:80
                  May check the online IP address of the machine
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeDNS query: name: checkip.dyndns.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewASN Name: UTMEMUS UTMEMUS
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: bh4BVURVUr.exe, 00000006.00000002.714415764.00000000030E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: bh4BVURVUr.exe, 00000006.00000002.714415764.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, bh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: bh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: bh4BVURVUr.exe, 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, bh4BVURVUr.exe, 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: bh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org4
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: bh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: bh4BVURVUr.exe, 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, bh4BVURVUr.exe, 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: bh4BVURVUr.exe, 00000000.00000002.489757382.0000000001400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: bh4BVURVUr.exe PID: 6944, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: bh4BVURVUr.exe PID: 6364, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: bh4BVURVUr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: bh4BVURVUr.exe PID: 6944, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: bh4BVURVUr.exe PID: 6364, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3AC93
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3B294
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3AA66
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3AE66
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3B066
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3AB9B
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3B166
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3AF66
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3AC93
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3B294
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3AA66
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3AE66
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3B066
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3AB9B
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3B166
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3AF66
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01476111
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_014771DA
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_014783C9
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147F280
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01475587
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147A45A
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147E758
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147F6D8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_014776A8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01477B08
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147FB30
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01476B88
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01477F68
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147EE28
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01476B78
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01474A98
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01474AA8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01472C29
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147DFD0
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147DFE0
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05610498
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05610040
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05614318
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05612398
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05614FB0
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05614968
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056129E0
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056108F0
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05613678
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056116F8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05613028
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05611D48
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05613CC8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05610488
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05610006
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0561430B
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05612388
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05614F9F
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0561495B
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056129CF
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056108E0
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05613668
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056116EB
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05613018
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05611D38
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05613CB9
                  Source: bh4BVURVUr.exeBinary or memory string: OriginalFilename vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000000.00000002.495479175.00000000076F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTweenEngineAPI.dllD vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000000.00000002.495425295.00000000076D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNativeVariant.dll" vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000000.00000002.489757382.0000000001400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000000.00000002.489290455.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSafeFileHan.exeF vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000006.00000002.713389170.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSafeFileHan.exeF vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000006.00000002.712942536.0000000000422000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000006.00000002.713498414.00000000010F7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exeBinary or memory string: OriginalFilenameSafeFileHan.exeF vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: bh4BVURVUr.exeVirustotal: Detection: 34%
                  Source: bh4BVURVUr.exeReversingLabs: Detection: 27%
                  Source: bh4BVURVUr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\bh4BVURVUr.exe "C:\Users\user\Desktop\bh4BVURVUr.exe"
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess created: C:\Users\user\Desktop\bh4BVURVUr.exe C:\Users\user\Desktop\bh4BVURVUr.exe
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess created: C:\Users\user\Desktop\bh4BVURVUr.exe C:\Users\user\Desktop\bh4BVURVUr.exe
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bh4BVURVUr.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                  Source: bh4BVURVUr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: bh4BVURVUr.exeString found in binary or memory: $33fe5c32-db6a-4d7a-addc-e1d0d8588fa9
                  Source: bh4BVURVUr.exe, CIS443Homework1___InterfaceFiles/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.0.bh4BVURVUr.exe.d30000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.bh4BVURVUr.exe.d30000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 6.0.bh4BVURVUr.exe.c30000.11.unpack, CIS443Homework1___InterfaceFiles/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 6.0.bh4BVURVUr.exe.c30000.2.unpack, CIS443Homework1___InterfaceFiles/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, udbb0udc9a???/ufffdR?ufffd?.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: bh4BVURVUr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: bh4BVURVUr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: bh4BVURVUr.exe, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.0.bh4BVURVUr.exe.d30000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.2.bh4BVURVUr.exe.d30000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.11.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.2.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.2.bh4BVURVUr.exe.c30000.1.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.13.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.3.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.5.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.1.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.932077624932354
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6944, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exe TID: 7052Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeThread delayed: delay time: 922337203685477
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01475587 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, ?ufffdufffd??/?u07fbufffdu0040?.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, W?ufffd??/ufffd?ufffd??.csReference to suspicious API methods: ('?@???', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, ?ufffdufffd??/?u07fbufffdu0040?.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, W?ufffd??/ufffd?ufffd??.csReference to suspicious API methods: ('?@???', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, ?ufffdufffd??/?u07fbufffdu0040?.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, W?ufffd??/ufffd?ufffd??.csReference to suspicious API methods: ('?@???', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, ?ufffdufffd??/?u07fbufffdu0040?.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, W?ufffd??/ufffd?ufffd??.csReference to suspicious API methods: ('?@???', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, ?ufffdufffd??/?u07fbufffdu0040?.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, W?ufffd??/ufffd?ufffd??.csReference to suspicious API methods: ('?@???', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, ?ufffdufffd??/?u07fbufffdu0040?.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, W?ufffd??/ufffd?ufffd??.csReference to suspicious API methods: ('?@???', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeMemory written: C:\Users\user\Desktop\bh4BVURVUr.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess created: C:\Users\user\Desktop\bh4BVURVUr.exe C:\Users\user\Desktop\bh4BVURVUr.exe
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Users\user\Desktop\bh4BVURVUr.exe VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Users\user\Desktop\bh4BVURVUr.exe VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6364, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6364, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6364, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts2
                  Command and Scripting Interpreter                  		Path Interception111
                  Process Injection                  		1
                  Masquerading                  		2
                  OS Credential Dumping                  		11
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Native API                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  Process Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		Exfiltration Over Bluetooth1
                  Ingress Tool Transfer                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                  Virtualization/Sandbox Evasion                  		Security Account Manager21
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares11
                  Archive Collected Data                  		Automated Exfiltration2
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                  Process Injection                  		NTDS1
                  Remote System Discovery                  		Distributed Component Object Model2
                  Data from Local System                  		Scheduled Transfer12
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Obfuscated Files or Information                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                  Software Packing                  		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  bh4BVURVUr.exe34%VirustotalBrowse
                  bh4BVURVUr.exe28%ReversingLabsByteCode-MSIL.Spyware.SnakeLogger
                  bh4BVURVUr.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  6.0.bh4BVURVUr.exe.400000.12.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.0.bh4BVURVUr.exe.400000.6.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.0.bh4BVURVUr.exe.400000.10.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.0.bh4BVURVUr.exe.400000.4.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.2.bh4BVURVUr.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.0.bh4BVURVUr.exe.400000.8.unpack100%AviraTR/ATRAPS.GenDownload File

                  Domains

                  SourceDetectionScannerLabelLink
                  checkip.dyndns.com0%VirustotalBrowse
                  checkip.dyndns.org0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://checkip.dyndns.org40%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://checkip.dyndns.com0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  checkip.dyndns.com
                  		132.226.8.169
                  		truetrueunknown
                  checkip.dyndns.org
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/true
                  • URL Reputation: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.combh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bThebh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/botbh4BVURVUr.exe, 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, bh4BVURVUr.exe, 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers?bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.tiro.combh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://checkip.dyndns.orgbh4BVURVUr.exe, 00000006.00000002.714415764.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, bh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.krbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.combh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://checkip.dyndns.org4bh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cThebh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.combh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://checkip.dyndns.org/qbh4BVURVUr.exe, 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, bh4BVURVUr.exe, 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleasebh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fonts.combh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://checkip.dyndns.combh4BVURVUr.exe, 00000006.00000002.714415764.00000000030E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleasebh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namebh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sakkal.combh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          132.226.8.169
                                          		checkip.dyndns.comUnited States
                                          		16989UTMEMUStrue

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:35.0.0 Citrine
                                          Analysis ID:652392
                                          Start date and time: 26/06/202209:43:252022-06-26 09:43:25 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 11m 26s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:bh4BVURVUr.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:19
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                          EGA Information:
                                          • Successful, ratio: 50%
                                          HDC Information:
                                          • Successful, ratio: 3.7% (good quality ratio 1.8%)
                                          • Quality average: 30.2%
                                          • Quality standard deviation: 38.2%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Adjust boot time
                                          • Enable AMSI

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                          • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, licensing.mp.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                          • Execution Graph export aborted for target bh4BVURVUr.exe, PID 6944 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          09:45:01API Interceptor1x Sleep call for process: bh4BVURVUr.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bh4BVURVUr.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\bh4BVURVUr.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.9268931202438395
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:bh4BVURVUr.exe
                                          File size:784384
                                          MD5:146c170d7ad83ed8302a01081326bcdd
                                          SHA1:c5849331066878e36bbab16b9117b5abe043f1de
                                          SHA256:fe8f94b75b067dfa0fb373ea8c05c4c18dbaec41cf83b2de27a02740ad6f43c2
                                          SHA512:bee1aff05e0023060f96e7be988a717060af6c81bb301f8b58271855fd7fca60dd80e7a86a9c93fd67a422319dc0cbe48991cc651c99683266e4f7f2a57f8dcc
                                          SSDEEP:12288:PEH2iN1kPRxliW1hzMCuQaW9pXajhYQXzlRWtw7prlmUaO1wtqrU+iEp9esIUTat:o13kPRrhhzNVaGNajhTXRmgr5wtq/XzF
                                          TLSH:FAF412C5E3A45EDAC58383F51CACD5042666F38E45BCC21178BA759FD4723E291A3E0B
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:..b..............0.................. ... ....@.. .......................`............@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4c0ede
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x62B71B3A [Sat Jun 25 14:27:06 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          dec eax
                                          push edx
                                          dec eax
                                          inc ecx
                                          xor eax, 45373434h
                                          cmp byte ptr [3534564Eh], dh
                                          xor eax, 4F373751h
                                          push esp
                                          inc ecx
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc0e8c0x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000x3a8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xbeefc0xbf000False0.9247612279123036data7.932077624932354IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xc20000x3a80x400False0.3759765625data2.9336148862162847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xc40000xc0x200False0.041015625data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0xc20580x34cdata

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          192.168.2.5132.226.8.16949772802842536 06/26/22-09:45:10.882218TCP2842536ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check4977280192.168.2.5132.226.8.169

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jun 26, 2022 09:45:10.612282991 CEST4977280192.168.2.5132.226.8.169
                                          Jun 26, 2022 09:45:10.881300926 CEST8049772132.226.8.169192.168.2.5
                                          Jun 26, 2022 09:45:10.881459951 CEST4977280192.168.2.5132.226.8.169
                                          Jun 26, 2022 09:45:10.882217884 CEST4977280192.168.2.5132.226.8.169
                                          Jun 26, 2022 09:45:11.146639109 CEST8049772132.226.8.169192.168.2.5
                                          Jun 26, 2022 09:45:12.152662039 CEST8049772132.226.8.169192.168.2.5
                                          Jun 26, 2022 09:45:12.286751032 CEST4977280192.168.2.5132.226.8.169
                                          Jun 26, 2022 09:46:17.151365995 CEST8049772132.226.8.169192.168.2.5
                                          Jun 26, 2022 09:46:17.151546001 CEST4977280192.168.2.5132.226.8.169
                                          Jun 26, 2022 09:46:52.177752018 CEST4977280192.168.2.5132.226.8.169
                                          Jun 26, 2022 09:46:52.442231894 CEST8049772132.226.8.169192.168.2.5

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jun 26, 2022 09:45:10.522610903 CEST5393453192.168.2.58.8.8.8
                                          Jun 26, 2022 09:45:10.541312933 CEST53539348.8.8.8192.168.2.5
                                          Jun 26, 2022 09:45:10.566931963 CEST6371253192.168.2.58.8.8.8
                                          Jun 26, 2022 09:45:10.583794117 CEST53637128.8.8.8192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Jun 26, 2022 09:45:10.522610903 CEST192.168.2.58.8.8.80xac43Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.566931963 CEST192.168.2.58.8.8.80x6219Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Jun 26, 2022 09:45:10.541312933 CEST8.8.8.8192.168.2.50xac43No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                          Jun 26, 2022 09:45:10.541312933 CEST8.8.8.8192.168.2.50xac43No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.541312933 CEST8.8.8.8192.168.2.50xac43No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.541312933 CEST8.8.8.8192.168.2.50xac43No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.541312933 CEST8.8.8.8192.168.2.50xac43No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.541312933 CEST8.8.8.8192.168.2.50xac43No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.583794117 CEST8.8.8.8192.168.2.50x6219No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                          Jun 26, 2022 09:45:10.583794117 CEST8.8.8.8192.168.2.50x6219No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.583794117 CEST8.8.8.8192.168.2.50x6219No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.583794117 CEST8.8.8.8192.168.2.50x6219No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.583794117 CEST8.8.8.8192.168.2.50x6219No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.583794117 CEST8.8.8.8192.168.2.50x6219No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • checkip.dyndns.org

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.549772132.226.8.16980C:\Users\user\Desktop\bh4BVURVUr.exe
                                          TimestampkBytes transferredDirectionData
                                          Jun 26, 2022 09:45:10.882217884 CEST1166OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jun 26, 2022 09:45:12.152662039 CEST1167INHTTP/1.1 200 OK
                                          Date: Sun, 26 Jun 2022 07:45:11 GMT
                                          Content-Type: text/html
                                          Content-Length: 106
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 36 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.143.61</body></html>


                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:09:44:42
                                          Start date:26/06/2022
                                          Path:C:\Users\user\Desktop\bh4BVURVUr.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\bh4BVURVUr.exe"
                                          Imagebase:0xd30000
                                          File size:784384 bytes
                                          MD5 hash:146C170D7AD83ED8302A01081326BCDD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low

                                          General

                                          Target ID:6
                                          Start time:09:45:02
                                          Start date:26/06/2022
                                          Path:C:\Users\user\Desktop\bh4BVURVUr.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\bh4BVURVUr.exe
                                          Imagebase:0xc30000
                                          File size:784384 bytes
                                          MD5 hash:146C170D7AD83ED8302A01081326BCDD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low

                                          Disassembly

                                          No disassembly