Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
22o5gJzlg6.exe

Overview

General Information

Sample Name:22o5gJzlg6.exe
Analysis ID:679116
MD5:1f85c12fcd3232c577e5e8cc07fbf1e1
SHA1:3741755f8a11638209821a3cd7c01104acac184d
SHA256:f229ed07a73bf6f353a8429a9842aeb6c2e35a47f3b353bce93cca550efbbee4
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Njrat
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • 22o5gJzlg6.exe (PID: 5776 cmdline: "C:\Users\user\Desktop\22o5gJzlg6.exe" MD5: 1F85C12FCD3232C577E5E8CC07FBF1E1)
  • cleanup

Malware Configuration

Threatname: Njrat

{"Host": "milla11.publicvm.com", "Port": "5050", "Mutex Name": "d84c416188f84fa099", "Network Seprator": "@!#&^%$", "Campaign ID": "NYAN CAT", "Version": "0.7NC"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: 22o5gJzlg6.exe PID: 5776JoeSecurity_NjratYara detected NjratJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    Timestamp:192.168.2.591.109.186.44976550502825564 08/05/22-09:39:04.872116
    SID:2825564
    Source Port:49765
    Destination Port:5050
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.591.109.186.44976550502825563 08/05/22-09:37:42.892210
    SID:2825563
    Source Port:49765
    Destination Port:5050
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.591.109.186.44976550502033132 08/05/22-09:37:42.798572
    SID:2033132
    Source Port:49765
    Destination Port:5050
    Protocol:TCP
    Classtype:A Network Trojan was detected

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: 22o5gJzlg6.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: 22o5gJzlg6.exeVirustotal: Detection: 73%Perma Link
    Source: 22o5gJzlg6.exeMetadefender: Detection: 42%Perma Link
    Source: 22o5gJzlg6.exeReversingLabs: Detection: 69%
    Yara detected Njrat
    Source: Yara matchFile source: Process Memory Space: 22o5gJzlg6.exe PID: 5776, type: MEMORYSTR
    Machine Learning detection for sample
    Source: 22o5gJzlg6.exeJoe Sandbox ML: detected
    Source: 0.0.22o5gJzlg6.exe.430000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
    Source: 0.2.22o5gJzlg6.exe.27abcb4.0.raw.unpackMalware Configuration Extractor: Njrat {"Host": "milla11.publicvm.com", "Port": "5050", "Mutex Name": "d84c416188f84fa099", "Network Seprator": "@!#&^%$", "Campaign ID": "NYAN CAT", "Version": "0.7NC"}
    Source: 22o5gJzlg6.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

    Networking

    barindex
    Snort IDS alert for network traffic
    Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49765 -> 91.109.186.4:5050
    Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.5:49765 -> 91.109.186.4:5050
    Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49765 -> 91.109.186.4:5050
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: milla11.publicvm.com
    Source: global trafficTCP traffic: 192.168.2.5:49765 -> 91.109.186.4:5050
    Source: 22o5gJzlg6.exe, 00000000.00000003.427915980.0000000005806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.428170416.0000000005806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
    Source: 22o5gJzlg6.exe, 00000000.00000003.428170416.0000000005806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com-e
    Source: 22o5gJzlg6.exe, 00000000.00000003.428170416.0000000005806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.comx
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435352161.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435564805.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435393505.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435434677.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html~
    Source: 22o5gJzlg6.exe, 00000000.00000003.432863626.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432261621.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432675327.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432828022.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432499311.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432899886.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432630198.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433019323.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432759453.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432283139.000000000580F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
    Source: 22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com1
    Source: 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com8
    Source: 22o5gJzlg6.exe, 00000000.00000003.432863626.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433296887.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433420738.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comC~
    Source: 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comE
    Source: 22o5gJzlg6.exe, 00000000.00000003.433296887.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433420738.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coma
    Source: 22o5gJzlg6.exe, 00000000.00000003.432261621.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coma-d
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: 22o5gJzlg6.exe, 00000000.00000003.432675327.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432828022.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432630198.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432759453.000000000580F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
    Source: 22o5gJzlg6.exe, 00000000.00000003.432499311.000000000580F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comva
    Source: 22o5gJzlg6.exe, 00000000.00000003.432863626.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com~
    Source: 22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.437770989.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: 22o5gJzlg6.exe, 00000000.00000003.438782064.00000000057F0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439519748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com4
    Source: 22o5gJzlg6.exe, 00000000.00000003.437693822.000000000580E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
    Source: 22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comT.TTF=
    Source: 22o5gJzlg6.exe, 00000000.00000003.437693822.000000000580E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comTTF
    Source: 22o5gJzlg6.exe, 00000000.00000003.437851582.000000000580E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
    Source: 22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439642692.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
    Source: 22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439642692.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
    Source: 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438174770.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd_
    Source: 22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439519748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439416035.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
    Source: 22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438174770.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessedI
    Source: 22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439519748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439642692.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitu_
    Source: 22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
    Source: 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrsiv&
    Source: 22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiefl
    Source: 22o5gJzlg6.exe, 00000000.00000002.699727274.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446329043.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446126364.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446267888.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446363357.0000000005810000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comt
    Source: 22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtt
    Source: 22o5gJzlg6.exe, 00000000.00000002.699727274.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446329043.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446126364.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446267888.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446363357.0000000005810000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comuea
    Source: 22o5gJzlg6.exe, 00000000.00000003.437851582.000000000580E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comz
    Source: 22o5gJzlg6.exe, 00000000.00000003.427915980.0000000005806000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
    Source: 22o5gJzlg6.exe, 00000000.00000003.431016693.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431510900.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: 22o5gJzlg6.exe, 00000000.00000003.431386511.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431226577.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431719100.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431510900.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
    Source: 22o5gJzlg6.exe, 00000000.00000003.430476742.0000000005806000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430516625.0000000005806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/;
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: 22o5gJzlg6.exe, 00000000.00000003.431148925.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431016693.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
    Source: 22o5gJzlg6.exe, 00000000.00000003.430863609.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnCTI
    Source: 22o5gJzlg6.exe, 00000000.00000003.431386511.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431226577.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431148925.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431016693.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431510900.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnQ
    Source: 22o5gJzlg6.exe, 00000000.00000003.430863609.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnRIN
    Source: 22o5gJzlg6.exe, 00000000.00000003.430863609.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnTFu
    Source: 22o5gJzlg6.exe, 00000000.00000003.442920288.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442005981.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442520590.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443542427.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442655517.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443031431.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442962847.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442741235.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443220777.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442128327.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443153111.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443450897.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443332430.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: 22o5gJzlg6.exe, 00000000.00000003.442520590.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442128327.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/l
    Source: 22o5gJzlg6.exe, 00000000.00000003.442056543.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442655517.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442501394.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: 22o5gJzlg6.exe, 00000000.00000003.430244973.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: 22o5gJzlg6.exe, 00000000.00000003.435442221.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436179663.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435352161.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435573925.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435635608.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436098101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435840977.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436041454.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435402188.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&
    Source: 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
    Source: 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
    Source: 22o5gJzlg6.exe, 00000000.00000003.434060485.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434026409.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
    Source: 22o5gJzlg6.exe, 00000000.00000003.434060485.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434026409.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=
    Source: 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
    Source: 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
    Source: 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435402188.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
    Source: 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/iv
    Source: 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436098101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435840977.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436041454.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435402188.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
    Source: 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/4
    Source: 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
    Source: 22o5gJzlg6.exe, 00000000.00000003.434060485.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434026409.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/kurs
    Source: 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
    Source: 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
    Source: 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sv-s
    Source: 22o5gJzlg6.exe, 00000000.00000003.445348164.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.445413832.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.441424361.00000000057EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
    Source: 22o5gJzlg6.exe, 00000000.00000003.443332430.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.Y
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
    Source: 22o5gJzlg6.exe, 00000000.00000003.435143246.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435173659.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com8
    Source: 22o5gJzlg6.exe, 00000000.00000003.430432412.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430522948.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430486289.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430185630.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430244973.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430578626.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: 22o5gJzlg6.exe, 00000000.00000003.430432412.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430486289.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kra
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432261621.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn.i
    Source: 22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432499311.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432283139.000000000580F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
    Source: 22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432283139.000000000580F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnva
    Source: unknownDNS traffic detected: queries for: milla11.publicvm.com

    E-Banking Fraud

    barindex
    Yara detected Njrat
    Source: Yara matchFile source: Process Memory Space: 22o5gJzlg6.exe PID: 5776, type: MEMORYSTR
    Source: 22o5gJzlg6.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: 22o5gJzlg6.exe, 00000000.00000002.696319010.0000000002761000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenametojen.exe4 vs 22o5gJzlg6.exe
    Source: 22o5gJzlg6.exe, 00000000.00000000.423127249.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGoogle webmaster.exeD vs 22o5gJzlg6.exe
    Source: 22o5gJzlg6.exeBinary or memory string: OriginalFilenameGoogle webmaster.exeD vs 22o5gJzlg6.exe
    Source: 22o5gJzlg6.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeCode function: 0_2_00E2D030
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeCode function: 0_2_07291270
    Source: 22o5gJzlg6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: 22o5gJzlg6.exeVirustotal: Detection: 73%
    Source: 22o5gJzlg6.exeMetadefender: Detection: 42%
    Source: 22o5gJzlg6.exeReversingLabs: Detection: 69%
    Source: 22o5gJzlg6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: 22o5gJzlg6.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeMutant created: \Sessions\1\BaseNamedObjects\d84c416188f84fa099
    Source: classification engineClassification label: mal80.troj.winEXE@1/0@1/1
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: 22o5gJzlg6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeCode function: 0_2_00E2274F push ds; iretd
    Source: initial sampleStatic PE information: section name: .text entropy: 7.472442868082026
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeWindow / User API: threadDelayed 4996
    Source: C:\Users\user\Desktop\22o5gJzlg6.exe TID: 4916Thread sleep count: 4996 > 30
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeMemory allocated: page read and write | page guard
    Source: 22o5gJzlg6.exe, 00000000.00000002.697124211.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.696802851.00000000027B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Users\user\Desktop\22o5gJzlg6.exe VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Stealing of Sensitive Information

    barindex
    Yara detected Njrat
    Source: Yara matchFile source: Process Memory Space: 22o5gJzlg6.exe PID: 5776, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected Njrat
    Source: Yara matchFile source: Process Memory Space: 22o5gJzlg6.exe PID: 5776, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath Interception1
    Process Injection    		1
    Virtualization/Sandbox Evasion    		OS Credential Dumping1
    Virtualization/Sandbox Evasion    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Non-Standard Port    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
    Process Injection    		Security Account Manager1
    Application Window Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Non-Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
    Obfuscated Files or Information    		NTDS1
    Remote System Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer11
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
    Software Packing    		LSA Secrets12
    System Information Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    22o5gJzlg6.exe73%VirustotalBrowse
    22o5gJzlg6.exe43%MetadefenderBrowse
    22o5gJzlg6.exe69%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
    22o5gJzlg6.exe100%AviraTR/Dropper.MSIL.Gen
    22o5gJzlg6.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    0.0.22o5gJzlg6.exe.430000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.founder.com.cn/cnQ0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.carterandcone.comva0%URL Reputationsafe
    http://www.founder.com.cn/cnCTI0%Avira URL Cloudsafe
    http://www.carterandcone.com10%URL Reputationsafe
    http://www.founder.com.cn/cnRIN0%Avira URL Cloudsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.fontbureau.comuea0%Avira URL Cloudsafe
    http://www.zhongyicts.com.cn.i0%Avira URL Cloudsafe
    http://www.fontbureau.comTTF0%URL Reputationsafe
    http://www.fontbureau.comessed0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/40%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/kurs0%Avira URL Cloudsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.carterandcone.com0%URL Reputationsafe
    http://www.founder.com.cn/cnC0%URL Reputationsafe
    http://www.monotype.Y0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/jp/=0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/l0%Avira URL Cloudsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.fontbureau.comessedI0%Avira URL Cloudsafe
    http://www.carterandcone.comE0%URL Reputationsafe
    http://fontfabrik.comx0%Avira URL Cloudsafe
    http://www.founder.com.cn/cnTFu0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
    http://www.carterandcone.com80%URL Reputationsafe
    http://www.fontbureau.com40%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
    http://www.fontbureau.comrsiv&0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/(0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/&0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.carterandcone.como.0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.carterandcone.comC~0%Avira URL Cloudsafe
    http://www.founder.com.cn/cn/;0%Avira URL Cloudsafe
    http://www.carterandcone.coma0%URL Reputationsafe
    http://www.galapagosdesign.com/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe
    http://www.fontbureau.comtt0%Avira URL Cloudsafe
    http://www.fontbureau.comd_0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.fontbureau.coma0%URL Reputationsafe
    http://www.carterandcone.coma-d0%URL Reputationsafe
    http://www.fontbureau.comd0%URL Reputationsafe
    http://www.fontbureau.comsiefl0%Avira URL Cloudsafe
    http://www.sakkal.com80%Avira URL Cloudsafe
    http://www.ascendercorp.com/typedesigners.html~0%Avira URL Cloudsafe
    http://www.sandoll.co.kra0%Avira URL Cloudsafe
    http://en.w0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/=0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.founder.com.cn/cn/0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://fontfabrik.com-e0%Avira URL Cloudsafe
    http://www.zhongyicts.com.cnva0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
    http://www.monotype.0%URL Reputationsafe
    http://www.fontbureau.comt0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/iv0%Avira URL Cloudsafe
    http://www.carterandcone.com~0%Avira URL Cloudsafe
    http://www.fontbureau.comm0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/l0%URL Reputationsafe
    http://www.fontbureau.comz0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/sv-s0%Avira URL Cloudsafe
    http://www.zhongyicts.com.cno.0%URL Reputationsafe
    http://www.fontbureau.comals0%URL Reputationsafe
    http://www.fontbureau.comitu_0%Avira URL Cloudsafe
    http://www.fontbureau.comT.TTF=0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    milla11.publicvm.com
    		91.109.186.4
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      milla11.publicvm.comfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.com/designersG22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.founder.com.cn/cnQ22o5gJzlg6.exe, 00000000.00000003.431386511.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431226577.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431148925.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431016693.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431510900.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers/?22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bThe22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.carterandcone.comva22o5gJzlg6.exe, 00000000.00000003.432499311.000000000580F000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.founder.com.cn/cnCTI22o5gJzlg6.exe, 00000000.00000003.430863609.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.carterandcone.com122o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.founder.com.cn/cnRIN22o5gJzlg6.exe, 00000000.00000003.430863609.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.tiro.com22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.comuea22o5gJzlg6.exe, 00000000.00000002.699727274.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446329043.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446126364.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446267888.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446363357.0000000005810000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.zhongyicts.com.cn.i22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.comTTF22o5gJzlg6.exe, 00000000.00000003.437693822.000000000580E000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comessed22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439519748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439416035.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/jp/422o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/kurs22o5gJzlg6.exe, 00000000.00000003.434060485.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434026409.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.goodfont.co.kr22o5gJzlg6.exe, 00000000.00000003.430244973.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.com22o5gJzlg6.exe, 00000000.00000003.432863626.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432261621.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432675327.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432828022.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432499311.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432899886.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432630198.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433019323.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432759453.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432283139.000000000580F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cnC22o5gJzlg6.exe, 00000000.00000003.431148925.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431016693.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.monotype.Y22o5gJzlg6.exe, 00000000.00000003.443332430.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/jp/=22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.com22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.typography.netD22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cThe22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/l22o5gJzlg6.exe, 00000000.00000003.442520590.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442128327.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htm22o5gJzlg6.exe, 00000000.00000003.442056543.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442655517.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442501394.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://fontfabrik.com22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.428170416.0000000005806000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comessedI22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438174770.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.carterandcone.comE22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://fontfabrik.comx22o5gJzlg6.exe, 00000000.00000003.428170416.0000000005806000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.founder.com.cn/cnTFu22o5gJzlg6.exe, 00000000.00000003.430863609.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/422o5gJzlg6.exe, 00000000.00000003.434060485.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434026409.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.com822o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com422o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439519748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp//22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/DPlease22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/Y022o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435402188.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comrsiv&22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.jiyu-kobo.co.jp/(22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fonts.com22o5gJzlg6.exe, 00000000.00000003.427915980.0000000005806000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.sandoll.co.kr22o5gJzlg6.exe, 00000000.00000003.430432412.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430522948.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430486289.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430185630.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430244973.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430578626.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/&22o5gJzlg6.exe, 00000000.00000003.435442221.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436179663.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435352161.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435573925.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435635608.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436098101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435840977.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436041454.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435402188.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.urwpp.deDPlease22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.zhongyicts.com.cn22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432261621.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.como.22o5gJzlg6.exe, 00000000.00000003.432675327.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432828022.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432630198.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432759453.000000000580F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sakkal.com22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.comC~22o5gJzlg6.exe, 00000000.00000003.432863626.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433296887.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433420738.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.founder.com.cn/cn/;22o5gJzlg6.exe, 00000000.00000003.430476742.0000000005806000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430516625.0000000005806000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.carterandcone.coma22o5gJzlg6.exe, 00000000.00000003.433296887.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433420738.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.022o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.437770989.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.galapagosdesign.com/22o5gJzlg6.exe, 00000000.00000003.442920288.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442005981.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442520590.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443542427.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442655517.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443031431.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442962847.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442741235.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443220777.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442128327.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443153111.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443450897.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443332430.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/X22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comF22o5gJzlg6.exe, 00000000.00000003.437693822.000000000580E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/V22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comtt22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comd_22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438174770.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.jiyu-kobo.co.jp/jp/22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436098101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435840977.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436041454.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435402188.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.coma22o5gJzlg6.exe, 00000000.00000003.437851582.000000000580E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.coma-d22o5gJzlg6.exe, 00000000.00000003.432261621.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comd22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439642692.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comsiefl22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sakkal.com822o5gJzlg6.exe, 00000000.00000003.435143246.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435173659.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.ascendercorp.com/typedesigners.html~22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435352161.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435564805.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435393505.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435434677.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sandoll.co.kra22o5gJzlg6.exe, 00000000.00000003.430432412.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430486289.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://en.w22o5gJzlg6.exe, 00000000.00000003.427915980.0000000005806000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/=22o5gJzlg6.exe, 00000000.00000003.434060485.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434026409.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.coml22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/22o5gJzlg6.exe, 00000000.00000003.431386511.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431226577.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431719100.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431510900.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlN22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn22o5gJzlg6.exe, 00000000.00000003.431016693.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431510900.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.com-e22o5gJzlg6.exe, 00000000.00000003.428170416.0000000005806000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-jones.html22o5gJzlg6.exe, 00000000.00000003.438782064.00000000057F0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.zhongyicts.com.cnva22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432283139.000000000580F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/r22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.monotype.22o5gJzlg6.exe, 00000000.00000003.445348164.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.445413832.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.441424361.00000000057EE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comt22o5gJzlg6.exe, 00000000.00000002.699727274.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446329043.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446126364.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446267888.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446363357.0000000005810000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/iv22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.carterandcone.com~22o5gJzlg6.exe, 00000000.00000003.432863626.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.fontbureau.comm22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/l22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comz22o5gJzlg6.exe, 00000000.00000003.437851582.000000000580E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/sv-s22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zhongyicts.com.cno.22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432499311.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432283139.000000000580F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers822o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comals22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439642692.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comitu_22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439519748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439642692.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.fontbureau.comT.TTF=22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            91.109.186.4
                            		milla11.publicvm.comFrance
                            		29075IELOIELOMainNetworkFRfalse

                            General Information

                            Joe Sandbox Version:35.0.0 Citrine
                            Analysis ID:679116
                            Start date and time: 05/08/202209:36:112022-08-05 09:36:11 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 6m 11s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:22o5gJzlg6.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:18
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal80.troj.winEXE@1/0@1/1
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Adjust boot time
                            • Enable AMSI

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 23.211.6.115
                            • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, prod-azurecdn-akamai-iris.azureedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, licensing.mp.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                            • Execution Graph export aborted for target 22o5gJzlg6.exe, PID 5776 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.014106369522473
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:22o5gJzlg6.exe
                            File size:772608
                            MD5:1f85c12fcd3232c577e5e8cc07fbf1e1
                            SHA1:3741755f8a11638209821a3cd7c01104acac184d
                            SHA256:f229ed07a73bf6f353a8429a9842aeb6c2e35a47f3b353bce93cca550efbbee4
                            SHA512:9a991ea8dd19bff6a7a83d546b2f4d958e849a17ef4cbc62c2faaf3e9588fc896c7cd48fe76cfa34a2efa66327002fb412201d32e74a5c683c30ee1fe1138667
                            SSDEEP:12288:WqShIfQIKMR4LClwugCEzE3qA2nv1gfckf:4hIYIKMCigCEzE312nKck
                            TLSH:4DF4920B5D78868AE1FA3530C6F670B3A273970BDD098A35697DE0C37E29DE904E7116
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..b.............................3... ...@....@.. ....................... .............................................

                            File Icon

                            Icon Hash:f8c6e86968b0cc70

                            Static PE Info

                            General

                            Entrypoint:0x4933ee
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            DLL Characteristics:
                            Time Stamp:0x62E8FC24 [Tue Aug 2 10:27:48 2022 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x933940x57.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x960000x2b198.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x913f40x91400False0.7046612790447504data7.472442868082026IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .reloc0x940000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0x960000x2b1980x2b200False0.17342617753623188data3.676783822364216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x962b00x31c8PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                            RT_ICON0x994780x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                            RT_ICON0xa9ca00x94a8data
                            RT_ICON0xb31480x5488data
                            RT_ICON0xb85d00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 4282318848
                            RT_ICON0xbc7f80x25a8data
                            RT_ICON0xbeda00x10a8data
                            RT_ICON0xbfe480x988data
                            RT_ICON0xc07d00x468GLS_BINARY_LSB_FIRST
                            RT_GROUP_ICON0xc0c380x84data
                            RT_VERSION0xc0cbc0x2f0SysEx File - IDP
                            RT_MANIFEST0xc0fac0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            192.168.2.591.109.186.44976550502825564 08/05/22-09:39:04.872116TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)497655050192.168.2.591.109.186.4
                            192.168.2.591.109.186.44976550502825563 08/05/22-09:37:42.892210TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)497655050192.168.2.591.109.186.4
                            192.168.2.591.109.186.44976550502033132 08/05/22-09:37:42.798572TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)497655050192.168.2.591.109.186.4

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Aug 5, 2022 09:37:41.568679094 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:37:41.630243063 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:37:41.630374908 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:37:42.798572063 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:37:42.892086983 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:37:42.892210007 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:37:42.985652924 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:37:47.422403097 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:37:47.517601013 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:37:47.720798969 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:37:47.723356962 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:37:47.818135023 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:38:05.765523911 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:38:05.766052961 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:38:05.856589079 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:38:23.812676907 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:38:23.814517975 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:38:23.905464888 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:38:41.821995974 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:38:41.822762012 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:38:41.916249990 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:38:56.442615032 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:38:56.534531116 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:38:59.864129066 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:38:59.864787102 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:38:59.956043959 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:39:04.872116089 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:39:04.967768908 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:39:17.911744118 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:39:17.942150116 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:39:18.130026102 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:39:35.925879955 CEST50504976591.109.186.4192.168.2.5
                            Aug 5, 2022 09:39:35.926232100 CEST497655050192.168.2.591.109.186.4
                            Aug 5, 2022 09:39:36.021418095 CEST50504976591.109.186.4192.168.2.5

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Aug 5, 2022 09:37:41.422647953 CEST6135653192.168.2.58.8.8.8
                            Aug 5, 2022 09:37:41.550160885 CEST53613568.8.8.8192.168.2.5

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Aug 5, 2022 09:37:41.422647953 CEST192.168.2.58.8.8.80x2963Standard query (0)milla11.publicvm.comA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Aug 5, 2022 09:37:41.550160885 CEST8.8.8.8192.168.2.50x2963No error (0)milla11.publicvm.com91.109.186.4A (IP address)IN (0x0001)

                            Statistics

                            No statistics

                            System Behavior

                            General

                            Target ID:0
                            Start time:09:37:20
                            Start date:05/08/2022
                            Path:C:\Users\user\Desktop\22o5gJzlg6.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\22o5gJzlg6.exe"
                            Imagebase:0x430000
                            File size:772608 bytes
                            MD5 hash:1F85C12FCD3232C577E5E8CC07FBF1E1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Reputation:low

                            Disassembly

                            No disassembly