Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
l9qmoY93Ed.exe

Overview

General Information

Sample Name:l9qmoY93Ed.exe
Analysis ID:708248
MD5:fb561127230e7104e2df440f2712581e
SHA1:62741306fbb863c7def4a3cc21175a3badf59f14
SHA256:48929d6ac22fe9d2edee0e1ea483b143786d3b0965be5c771eb6a2d90018df21
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • l9qmoY93Ed.exe (PID: 5956 cmdline: "C:\Users\user\Desktop\l9qmoY93Ed.exe" MD5: FB561127230E7104E2DF440F2712581E)
    • l9qmoY93Ed.exe (PID: 3276 cmdline: C:\Users\user\Desktop\l9qmoY93Ed.exe MD5: FB561127230E7104E2DF440F2712581E)
    • l9qmoY93Ed.exe (PID: 4460 cmdline: C:\Users\user\Desktop\l9qmoY93Ed.exe MD5: FB561127230E7104E2DF440F2712581E)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "yugolog@gthltd.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "587"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
          • 0x1742c:$x1: $%SMTPDV$
          • 0x17442:$x2: $#TheHashHere%&
          • 0x187cc:$x3: %FTPDV$
          • 0x18894:$x4: $%TelegramDv$
          • 0x14d3d:$x5: KeyLoggerEventArgs
          • 0x150d3:$x5: KeyLoggerEventArgs
          • 0x1883c:$m1: | Snake Keylogger
          • 0x188f4:$m1: | Snake Keylogger
          • 0x18a48:$m1: | Snake Keylogger
          • 0x18b6e:$m1: | Snake Keylogger
          • 0x18cc8:$m1: | Snake Keylogger
          • 0x187f0:$m2: Clipboard Logs ID
          • 0x189fe:$m2: Screenshot Logs ID
          • 0x18b12:$m2: keystroke Logs ID
          • 0x18cfe:$m3: SnakePW
          • 0x189d6:$m4: \SnakeKeylogger\
          Click to see the 17 entries
          SourceRuleDescriptionAuthorStrings
          2.0.l9qmoY93Ed.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x1b362:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x1a54b:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x1a992:$a4: \Orbitum\User Data\Default\Login Data
          • 0x1bb13:$a5: \Kometa\User Data\Default\Login Data
          2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 32 entries
                  No Sigma rule has matched
                  Timestamp:192.168.2.5132.226.8.16949699802842536 09/23/22-08:12:18.468779
                  SID:2842536
                  Source Port:49699
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: l9qmoY93Ed.exeReversingLabs: Detection: 57%
                  Source: l9qmoY93Ed.exeVirustotal: Detection: 32%Perma Link
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpackMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "yugolog@gthltd.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "587"}
                  Source: l9qmoY93Ed.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: l9qmoY93Ed.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B63D1h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B7507h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016BFDE9h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B7DC7h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B8687h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016BF539h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B5F70h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B8227h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016BEC8Ah
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016BF0E1h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B6B10h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016BF991h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B7967h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B6B10h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B6B10h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06954D29h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695E529h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06958149h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06955181h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695E981h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 069585A1h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695E0A9h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 069548D1h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06957CF1h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06955A31h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695F231h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06955E89h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695F689h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 069555D9h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695EDD9h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 069589F9h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06956739h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06953771h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06956B91h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 069562E1h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695FAE1h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06953319h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06957441h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06954479h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06957899h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06953BC9h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06956FE9h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06954021h
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]

                  Networking

                  barindex
                  Source: TrafficSnort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.5:49699 -> 132.226.8.169:80
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeDNS query: name: checkip.dyndns.org
                  Source: Yara matchFile source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewASN Name: UTMEMUS UTMEMUS
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: l9qmoY93Ed.exe, 00000002.00000002.561894079.00000000033A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: l9qmoY93Ed.exe, 00000002.00000002.561852057.0000000003396000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000002.561894079.00000000033A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: l9qmoY93Ed.exe, 00000002.00000002.561562050.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: l9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: l9qmoY93Ed.exe, 00000002.00000002.561852057.0000000003396000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org4
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: l9qmoY93Ed.exe, 00000002.00000002.561562050.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: l9qmoY93Ed.exe, 00000000.00000003.314708775.0000000005708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.295803605.0000000005719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300236379.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.314708775.0000000005708000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300093885.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300033996.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300279098.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300201259.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301285913.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300304945.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301221727.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301189630.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300439789.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301161542.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300401470.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300167619.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300970999.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301036004.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300970999.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301036004.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmll
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300458982.0000000005714000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300547173.0000000005714000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300639622.0000000005714000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300498619.0000000005714000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF6
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300236379.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300093885.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300279098.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300201259.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300304945.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300167619.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comQ
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300889022.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300928525.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comW.TTFZ
                  Source: l9qmoY93Ed.exe, 00000000.00000003.301285913.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301221727.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301189630.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301161542.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsd
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdu
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300093885.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
                  Source: l9qmoY93Ed.exe, 00000000.00000003.301531125.0000000005721000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitud
                  Source: l9qmoY93Ed.exe, 00000000.00000003.301648142.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301531125.0000000005721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comituo
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comld
                  Source: l9qmoY93Ed.exe, 00000000.00000003.301285913.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301221727.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301189630.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301161542.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiv
                  Source: l9qmoY93Ed.exe, 00000000.00000003.314708775.0000000005708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comttco
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.295119538.0000000005702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: l9qmoY93Ed.exe, 00000000.00000003.295119538.0000000005702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
                  Source: l9qmoY93Ed.exe, 00000000.00000003.295119538.0000000005702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnr
                  Source: l9qmoY93Ed.exe, 00000000.00000003.301970940.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: l9qmoY93Ed.exe, 00000000.00000003.301970940.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/u
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299297786.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299409033.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299635821.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299527509.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296535042.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299179854.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298493164.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298293705.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298815241.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296510690.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298986768.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299739771.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296535042.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296510690.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
                  Source: l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/u
                  Source: l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/liqu
                  Source: l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sv-s?
                  Source: l9qmoY93Ed.exe, 00000000.00000003.296535042.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296510690.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.292934561.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297522887.0000000005713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com-s
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: l9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: l9qmoY93Ed.exe, 00000000.00000002.315393634.0000000000B20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: l9qmoY93Ed.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 0_2_00D4C174
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 0_2_00D4E778
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 0_2_00D4E76B
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B6111
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B7196
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BFB30
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B7B08
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B83C9
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B6B88
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BF280
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B5587
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BA45A
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B2C29
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B7F68
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BE758
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BEE28
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BF6D8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B76A8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B6B78
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B4AA8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B4A98
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BDFE0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BDFD0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06954A80
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695E280
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06957EA0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06954ED8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695E6D8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069582F8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695DE00
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06954628
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06957A48
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695C398
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06955788
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695EF88
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06958BA8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06955BE0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695F3E0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06955330
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695EB30
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06958750
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695B770
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06956490
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695D098
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069534C8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069568E8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06956038
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695F838
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06950040
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06953070
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06957198
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069541D0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069575F0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06953920
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06956D40
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06953D78
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06957E90
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695B6C9
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06954EC8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695E6C8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069582E8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06954619
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06957A3A
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695E271
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06954A70
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695F3D0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06955BDA
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06955321
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695EB20
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06958741
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695EF79
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06955778
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06956482
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069534B8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069568D8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695C00F
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695C020
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06950028
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695F828
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695602A
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06953062
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06957188
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069541C0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695DDF0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069575E0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06953910
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06956D36
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06953D68
                  Source: l9qmoY93Ed.exe, 00000000.00000002.317339858.00000000028CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.315393634.0000000000B20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316575659.0000000002811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.332212556.0000000007060000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000000.289991126.0000000000530000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegUab.exeF vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.317300560.00000000028C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.325864527.0000000003811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000002.00000002.560575264.00000000016D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000002.00000000.312581315.0000000000422000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000002.00000002.560030934.00000000011F7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exeBinary or memory string: OriginalFilenamegUab.exeF vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exeReversingLabs: Detection: 57%
                  Source: l9qmoY93Ed.exeVirustotal: Detection: 32%
                  Source: l9qmoY93Ed.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe "C:\Users\user\Desktop\l9qmoY93Ed.exe"
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe C:\Users\user\Desktop\l9qmoY93Ed.exe
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe C:\Users\user\Desktop\l9qmoY93Ed.exe
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe C:\Users\user\Desktop\l9qmoY93Ed.exe
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe C:\Users\user\Desktop\l9qmoY93Ed.exe
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\l9qmoY93Ed.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@2/1
                  Source: l9qmoY93Ed.exe, 00000002.00000002.562272546.000000000437D000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000002.561952303.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000002.562011210.00000000033CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: l9qmoY93Ed.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, ??ufffd??/z?u0026??.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, u00ab???ufffd/u058fufffd???.csCryptographic APIs: 'TransformFinalBlock'
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: l9qmoY93Ed.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: l9qmoY93Ed.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: l9qmoY93Ed.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                  Data Obfuscation

                  barindex
                  Source: l9qmoY93Ed.exe, order_management_system.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.0.l9qmoY93Ed.exe.470000.0.unpack, order_management_system.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B8F09 push FFFFFF8Bh; iretd
                  Source: l9qmoY93Ed.exeStatic PE information: 0x8F2DF49B [Tue Feb 13 16:53:47 2046 UTC]
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Source: Yara matchFile source: 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTR
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exe TID: 5952Thread sleep time: -41226s >= -30000s
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exe TID: 5056Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeThread delayed: delay time: 41226
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeThread delayed: delay time: 922337203685477
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VIRTUALBOXDSOFTWARE\VMware, Inc.\VMware ToolsTSOFTWARE\Oracle\VirtualBox Guest Additions
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE6HARDWARE\Description\System"SystemBiosVersionNSYSTEM\ControlSet001\Services\Disk\Enum
                  Source: l9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.332212556.0000000007060000.00000004.08000000.00040000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.325864527.0000000003811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: XKDFefinoUNVIucqeMu
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: l9qmoY93Ed.exe, 00000002.00000002.560704618.0000000001705000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B6B88 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, u00ab???ufffd/u058fufffd???.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, ?????/????ufffd.csReference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeMemory written: C:\Users\user\Desktop\l9qmoY93Ed.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe C:\Users\user\Desktop\l9qmoY93Ed.exe
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe C:\Users\user\Desktop\l9qmoY93Ed.exe
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Users\user\Desktop\l9qmoY93Ed.exe VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Users\user\Desktop\l9qmoY93Ed.exe VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTR
                  Source: Yara matchFile source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: Yara matchFile source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTR
                  Source: Yara matchFile source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTR
                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts1
                  Native API
                  Path Interception111
                  Process Injection
                  1
                  Masquerading
                  2
                  OS Credential Dumping
                  11
                  Security Software Discovery
                  Remote Services1
                  Email Collection
                  Exfiltration Over Other Network Medium1
                  Encrypted Channel
                  Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools
                  1
                  Input Capture
                  1
                  Process Discovery
                  Remote Desktop Protocol1
                  Input Capture
                  Exfiltration Over Bluetooth1
                  Ingress Tool Transfer
                  Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                  Virtualization/Sandbox Evasion
                  Security Account Manager21
                  Virtualization/Sandbox Evasion
                  SMB/Windows Admin Shares11
                  Archive Collected Data
                  Automated Exfiltration2
                  Non-Application Layer Protocol
                  Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                  Process Injection
                  NTDS1
                  Remote System Discovery
                  Distributed Component Object Model2
                  Data from Local System
                  Scheduled Transfer12
                  Application Layer Protocol
                  SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information
                  LSA Secrets1
                  System Network Configuration Discovery
                  SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Obfuscated Files or Information
                  Cached Domain Credentials13
                  System Information Discovery
                  VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items11
                  Software Packing
                  DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  Timestomp
                  Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  l9qmoY93Ed.exe58%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  l9qmoY93Ed.exe32%VirustotalBrowse
                  No Antivirus matches
                  SourceDetectionScannerLabelLinkDownload
                  2.0.l9qmoY93Ed.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                  SourceDetectionScannerLabelLink
                  checkip.dyndns.com0%VirustotalBrowse
                  checkip.dyndns.org0%VirustotalBrowse
                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.fontbureau.comsiv0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.fontbureau.comessed0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://checkip.dyndns.org40%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cnn0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/60%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://www.founder.com.cn/cnr0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/(0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://checkip.dyndns.com0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/Z0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/sv-s?0%Avira URL Cloudsafe
                  http://www.fontbureau.comalsd0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
                  http://www.galapagosdesign.com/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
                  http://www.agfamonotype.0%URL Reputationsafe
                  http://www.fontbureau.comQ0%URL Reputationsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/u0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/?0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/u0%URL Reputationsafe
                  http://www.fontbureau.comld0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.fontbureau.comitud0%URL Reputationsafe
                  http://www.fontbureau.comW.TTFZ0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/u0%Avira URL Cloudsafe
                  http://www.fontbureau.comdu0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/liqu0%Avira URL Cloudsafe
                  http://www.fontbureau.comF60%Avira URL Cloudsafe
                  http://www.fontbureau.comituo0%Avira URL Cloudsafe
                  http://www.sakkal.com-s0%Avira URL Cloudsafe
                  http://www.fontbureau.comttco0%Avira URL Cloudsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  checkip.dyndns.com
                  132.226.8.169
                  truetrueunknown
                  checkip.dyndns.org
                  unknown
                  unknowntrueunknown
                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/true
                  • URL Reputation: safe
                  unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.fontbureau.com/designersGl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.fontbureau.com/designers/?l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.founder.com.cn/cn/bThel9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://api.telegram.org/botl9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        high
                        http://www.fontbureau.com/designers?l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.fontbureau.comsivl9qmoY93Ed.exe, 00000000.00000003.301285913.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301221727.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301189630.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301161542.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.tiro.coml9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designersl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.fontbureau.comessedl9qmoY93Ed.exe, 00000000.00000003.300093885.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.goodfont.co.krl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/~l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.sajatypeworks.coml9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.292934561.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://checkip.dyndns.org4l9qmoY93Ed.exe, 00000002.00000002.561852057.0000000003396000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.typography.netDl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.founder.com.cn/cn/cThel9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.founder.com.cn/cnnl9qmoY93Ed.exe, 00000000.00000003.295119538.0000000005702000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.galapagosdesign.com/staff/dennis.html9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://fontfabrik.coml9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.comF6l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/6l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/sv-s?l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.galapagosdesign.com/ul9qmoY93Ed.exe, 00000000.00000003.301970940.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://checkip.dyndns.org/ql9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.founder.com.cn/cnrl9qmoY93Ed.exe, 00000000.00000003.295119538.0000000005702000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/liqul9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.galapagosdesign.com/DPleasel9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.ascendercorp.com/typedesigners.htmll9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/(l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fonts.coml9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.sandoll.co.krl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://checkip.dyndns.coml9qmoY93Ed.exe, 00000002.00000002.561894079.00000000033A3000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.urwpp.deDPleasel9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.zhongyicts.com.cnl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namel9qmoY93Ed.exe, 00000002.00000002.561562050.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.sakkal.coml9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.jiyu-kobo.co.jp/jp/Zl9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.comalsdl9qmoY93Ed.exe, 00000000.00000003.301285913.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301221727.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301189630.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301161542.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.comdul9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.jiyu-kobo.co.jp/Zl9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.apache.org/licenses/LICENSE-2.0l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.295803605.0000000005719000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.fontbureau.coml9qmoY93Ed.exe, 00000000.00000003.300236379.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.314708775.0000000005708000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300093885.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300033996.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300279098.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300201259.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301285913.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300304945.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301221727.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301189630.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300439789.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301161542.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300401470.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300167619.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.galapagosdesign.com/l9qmoY93Ed.exe, 00000000.00000003.301970940.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlll9qmoY93Ed.exe, 00000000.00000003.300970999.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301036004.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.jiyu-kobo.co.jp/Xl9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296535042.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296510690.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.agfamonotype.l9qmoY93Ed.exe, 00000000.00000003.314708775.0000000005708000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.comQl9qmoY93Ed.exe, 00000000.00000003.300236379.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300093885.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300279098.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300201259.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300304945.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300167619.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.comituol9qmoY93Ed.exe, 00000000.00000003.301648142.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301531125.0000000005721000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://checkip.dyndns.orgl9qmoY93Ed.exe, 00000002.00000002.561852057.0000000003396000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000002.561894079.00000000033A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.jiyu-kobo.co.jp/jp/ul9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.jiyu-kobo.co.jp/jp/l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.comW.TTFZl9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300889022.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300928525.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.jiyu-kobo.co.jp/?l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.carterandcone.comll9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.sakkal.com-sl9qmoY93Ed.exe, 00000000.00000003.297522887.0000000005713000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.founder.com.cn/cnl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.295119538.0000000005702000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmll9qmoY93Ed.exe, 00000000.00000003.300458982.0000000005714000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300547173.0000000005714000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300639622.0000000005714000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300498619.0000000005714000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.jiyu-kobo.co.jp/ul9qmoY93Ed.exe, 00000000.00000003.296535042.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296510690.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.com/designers/cabarga.htmll9qmoY93Ed.exe, 00000000.00000003.300970999.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301036004.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.fontbureau.comldl9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.jiyu-kobo.co.jp/l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299297786.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299409033.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299635821.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299527509.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296535042.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299179854.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298493164.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298293705.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298815241.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296510690.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298986768.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299739771.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fontbureau.com/designers8l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.fontbureau.comttcol9qmoY93Ed.exe, 00000000.00000003.314708775.0000000005708000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.fontbureau.comitudl9qmoY93Ed.exe, 00000000.00000003.301531125.0000000005721000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs
                                              IPDomainCountryFlagASNASN NameMalicious
                                              132.226.8.169
                                              checkip.dyndns.comUnited States
                                              16989UTMEMUStrue
                                              Joe Sandbox Version:36.0.0 Rainbow Opal
                                              Analysis ID:708248
                                              Start date and time:2022-09-23 08:11:09 +02:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 8m 55s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:l9qmoY93Ed.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:6
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@5/1@2/1
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              TimeTypeDescription
                                              08:12:08API Interceptor1x Sleep call for process: l9qmoY93Ed.exe modified
                                              No context
                                              No context
                                              No context
                                              No context
                                              No context
                                              Process:C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1308
                                              Entropy (8bit):5.345811588615766
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                              MD5:2E016B886BDB8389D2DD0867BE55F87B
                                              SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                              SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                              SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):6.754111708993234
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:l9qmoY93Ed.exe
                                              File size:793088
                                              MD5:fb561127230e7104e2df440f2712581e
                                              SHA1:62741306fbb863c7def4a3cc21175a3badf59f14
                                              SHA256:48929d6ac22fe9d2edee0e1ea483b143786d3b0965be5c771eb6a2d90018df21
                                              SHA512:69762dd766e01737a7adf88e415f6e912aa8ba6de3c8cb8592dc19430669074fa8b1c941747874d707990632ecd21de51da7a507695d0d407c4c03532403fbf3
                                              SSDEEP:12288:Hn+v8EgdeU9UgB8pAamPJ4+Y34kj3xAZ0XxfbVDfhxg:pEgYCU9pAama+0dO2VDfs
                                              TLSH:3DF4CF22D7AA4F4BD01162B89491C5B457AEEF05E02EC2476FEA7C9FF0767918221F13
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-...............0......J......>.... ........@.. ....................................@................................
                                              Icon Hash:ce9c9496e4949c9e
                                              Entrypoint:0x4bec3e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x8F2DF49B [Tue Feb 13 16:53:47 2046 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xbebec0x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x4658.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xbebd00x1c.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xbcc440xbce00False0.6627957478491066data6.7643112515498895IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xc00000x46580x4800False0.5441080729166666data6.17580418567749IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xc60000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0xc00e80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                              RT_GROUP_ICON0xc43100x14data
                                              RT_VERSION0xc43240x334data
                                              DLLImport
                                              mscoree.dll_CorExeMain
                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              192.168.2.5132.226.8.16949699802842536 09/23/22-08:12:18.468779TCP2842536ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check4969980192.168.2.5132.226.8.169
                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 23, 2022 08:12:17.439915895 CEST4969980192.168.2.5132.226.8.169
                                              Sep 23, 2022 08:12:17.741672993 CEST8049699132.226.8.169192.168.2.5
                                              Sep 23, 2022 08:12:17.741903067 CEST4969980192.168.2.5132.226.8.169
                                              Sep 23, 2022 08:12:18.468779087 CEST4969980192.168.2.5132.226.8.169
                                              Sep 23, 2022 08:12:18.766530991 CEST8049699132.226.8.169192.168.2.5
                                              Sep 23, 2022 08:12:18.767304897 CEST8049699132.226.8.169192.168.2.5
                                              Sep 23, 2022 08:12:18.829407930 CEST4969980192.168.2.5132.226.8.169
                                              Sep 23, 2022 08:13:23.764321089 CEST8049699132.226.8.169192.168.2.5
                                              Sep 23, 2022 08:13:23.764427900 CEST4969980192.168.2.5132.226.8.169
                                              Sep 23, 2022 08:13:58.761035919 CEST4969980192.168.2.5132.226.8.169
                                              Sep 23, 2022 08:13:59.056631088 CEST8049699132.226.8.169192.168.2.5
                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 23, 2022 08:12:17.231950045 CEST5689453192.168.2.58.8.8.8
                                              Sep 23, 2022 08:12:17.252614021 CEST53568948.8.8.8192.168.2.5
                                              Sep 23, 2022 08:12:17.333827972 CEST5029553192.168.2.58.8.8.8
                                              Sep 23, 2022 08:12:17.357783079 CEST53502958.8.8.8192.168.2.5
                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Sep 23, 2022 08:12:17.231950045 CEST192.168.2.58.8.8.80xebd1Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.333827972 CEST192.168.2.58.8.8.80x440Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Sep 23, 2022 08:12:17.252614021 CEST8.8.8.8192.168.2.50xebd1No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.252614021 CEST8.8.8.8192.168.2.50xebd1No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.252614021 CEST8.8.8.8192.168.2.50xebd1No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.252614021 CEST8.8.8.8192.168.2.50xebd1No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.252614021 CEST8.8.8.8192.168.2.50xebd1No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.252614021 CEST8.8.8.8192.168.2.50xebd1No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.357783079 CEST8.8.8.8192.168.2.50x440No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.357783079 CEST8.8.8.8192.168.2.50x440No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.357783079 CEST8.8.8.8192.168.2.50x440No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.357783079 CEST8.8.8.8192.168.2.50x440No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.357783079 CEST8.8.8.8192.168.2.50x440No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.357783079 CEST8.8.8.8192.168.2.50x440No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                              • checkip.dyndns.org
                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.549699132.226.8.16980C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              TimestampkBytes transferredDirectionData
                                              Sep 23, 2022 08:12:18.468779087 CEST102OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Sep 23, 2022 08:12:18.767304897 CEST102INHTTP/1.1 200 OK
                                              Date: Fri, 23 Sep 2022 06:12:18 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 34 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.43</body></html>


                                              Click to jump to process

                                              Target ID:0
                                              Start time:08:12:00
                                              Start date:23/09/2022
                                              Path:C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\l9qmoY93Ed.exe"
                                              Imagebase:0x470000
                                              File size:793088 bytes
                                              MD5 hash:FB561127230E7104E2DF440F2712581E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low

                                              Target ID:1
                                              Start time:08:12:09
                                              Start date:23/09/2022
                                              Path:C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              Imagebase:0x100000
                                              File size:793088 bytes
                                              MD5 hash:FB561127230E7104E2DF440F2712581E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low

                                              Target ID:2
                                              Start time:08:12:10
                                              Start date:23/09/2022
                                              Path:C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              Imagebase:0xfa0000
                                              File size:793088 bytes
                                              MD5 hash:FB561127230E7104E2DF440F2712581E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low

                                              No disassembly