Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ttrpym.exe

Overview

General Information

Sample Name:ttrpym.exe
Analysis ID:345001
MD5:3b53c639bd8ea883e5036a040f833415
SHA1:af2f707e2e787879a67994fbad96c3e2f418dd3a
SHA256:eca6a35d952f84597c3917f4c77f8c0e2cdeea6101caa97906dc1904e6f9e0ea
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla Telegram RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • ttrpym.exe (PID: 6400 cmdline: 'C:\Users\user\Desktop\ttrpym.exe' MD5: 3B53C639BD8EA883E5036A040F833415)
    • ttrpym.exe (PID: 6732 cmdline: {path} MD5: 3B53C639BD8EA883E5036A040F833415)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.614226904.0000000000F82000.00000020.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: ttrpym.exe PID: 6732JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: ttrpym.exe PID: 6732JoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.ttrpym.exe.f80000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for submitted fileShow sources
              Source: ttrpym.exeReversingLabs: Detection: 50%
              Machine Learning detection for sampleShow sources
              Source: ttrpym.exeJoe Sandbox ML: detected
              Source: 3.2.ttrpym.exe.f80000.2.unpackAvira: Label: TR/Spy.Gen8

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: ttrpym.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Uses new MSVCR DllsShow sources
              Source: C:\Users\user\Desktop\ttrpym.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Uses secure TLS version for HTTPS connectionsShow sources
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49753 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49755 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49757 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49760 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49761 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49762 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49764 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49765 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49766 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49767 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49768 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49769 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49770 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49771 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49772 version: TLS 1.2
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: ttrpym.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Networking:

              barindex
              Uses the Telegram API (likely for C&C communication)Show sources
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012BA09A recv,
              Source: unknownDNS traffic detected: queries for: api.telegram.org
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: ttrpym.exe, 00000003.00000003.522255884.0000000007DEC000.00000004.00000001.sdmpString found in binary or memory: http://cert.s
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-1823.crl0
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
              Source: ttrpym.exe, 00000000.00000003.235365275.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://en.w
              Source: ttrpym.exe, 00000000.00000003.234788164.0000000005E7B000.00000004.00000001.sdmp, ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: ttrpym.exe, 00000003.00000003.469945835.0000000007DCC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.c
              Source: ttrpym.exe, 00000003.00000003.522255884.0000000007DEC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
              Source: ttrpym.exe, 00000003.00000003.522255884.0000000007DEC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/02
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: http://pmTUNK.com
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: ttrpym.exe, 00000000.00000003.242053272.0000000005E83000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
              Source: ttrpym.exe, 00000000.00000003.241273039.0000000005E83000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlXUJl
              Source: ttrpym.exe, 00000000.00000003.239779476.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: ttrpym.exe, 00000000.00000003.240021767.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comEacdW
              Source: ttrpym.exe, 00000000.00000003.240021767.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
              Source: ttrpym.exe, 00000000.00000003.239779476.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comad
              Source: ttrpym.exe, 00000000.00000003.238931261.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comamFA
              Source: ttrpym.exe, 00000000.00000003.239366599.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
              Source: ttrpym.exe, 00000000.00000003.239779476.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comdd
              Source: ttrpym.exe, 00000000.00000003.239292340.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comes
              Source: ttrpym.exe, 00000000.00000003.238931261.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexc
              Source: ttrpym.exe, 00000000.00000003.238931261.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhly
              Source: ttrpym.exe, 00000000.00000003.239436981.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comkYF=
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: ttrpym.exe, 00000000.00000003.239779476.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comma
              Source: ttrpym.exe, 00000000.00000003.239779476.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
              Source: ttrpym.exe, 00000000.00000003.239201394.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comroa
              Source: ttrpym.exe, 00000000.00000003.239436981.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comt;F
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: ttrpym.exe, 00000000.00000003.245883722.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers)Y
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: ttrpym.exe, 00000000.00000003.245848821.0000000005E9E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
              Source: ttrpym.exe, 00000000.00000003.245848821.0000000005E9E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlH
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: ttrpym.exe, 00000000.00000003.245072326.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html.
              Source: ttrpym.exe, 00000000.00000003.245112917.0000000005E9E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlP
              Source: ttrpym.exe, 00000000.00000003.243841900.0000000005E7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/m
              Source: ttrpym.exe, 00000000.00000003.243841900.0000000005E7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/s
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: ttrpym.exe, 00000000.00000003.244251584.0000000005E7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?Y0
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: ttrpym.exe, 00000000.00000003.244027978.0000000005E7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersL
              Source: ttrpym.exe, 00000000.00000003.244441566.0000000005E7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerskYlH
              Source: ttrpym.exe, 00000000.00000002.264530973.00000000016D7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgritaC
              Source: ttrpym.exe, 00000000.00000002.264530973.00000000016D7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
              Source: ttrpym.exe, 00000000.00000002.264530973.00000000016D7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comttvaZ
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: ttrpym.exe, 00000000.00000003.239436981.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: ttrpym.exe, 00000000.00000003.238052266.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: ttrpym.exe, 00000000.00000003.238160822.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/m
              Source: ttrpym.exe, 00000000.00000003.237899138.0000000005E80000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnm
              Source: ttrpym.exe, 00000000.00000003.238437682.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnomp
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: ttrpym.exe, 00000000.00000003.247619500.0000000005E7B000.00000004.00000001.sdmp, ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: ttrpym.exe, 00000000.00000003.247669599.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmJU
              Source: ttrpym.exe, 00000000.00000003.237159926.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: ttrpym.exe, 00000000.00000003.243086872.0000000005E7D000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: ttrpym.exe, 00000000.00000003.247619500.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.2J
              Source: ttrpym.exe, 00000000.00000003.233656365.0000000005E62000.00000004.00000001.sdmp, ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: ttrpym.exe, 00000000.00000003.233656365.0000000005E62000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
              Source: ttrpym.exe, 00000000.00000003.242053272.0000000005E83000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: ttrpym.exe, 00000000.00000003.237222343.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.c
              Source: ttrpym.exe, 00000000.00000003.237222343.0000000005E7B000.00000004.00000001.sdmp, ttrpym.exe, 00000000.00000003.237159926.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: ttrpym.exe, 00000000.00000003.237159926.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krl
              Source: ttrpym.exe, 00000000.00000003.237159926.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krs-c
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: ttrpym.exe, 00000000.00000003.240021767.0000000005E7B000.00000004.00000001.sdmp, ttrpym.exe, 00000000.00000003.239945309.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
              Source: ttrpym.exe, 00000000.00000003.239902821.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comp
              Source: ttrpym.exe, 00000000.00000003.238437682.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comrporation
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: ttrpym.exe, 00000000.00000003.246313205.0000000005E88000.00000004.00000001.sdmp, ttrpym.exe, 00000000.00000003.243655870.0000000005E7D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: ttrpym.exe, 00000000.00000003.243771789.0000000005E7D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deoi
              Source: ttrpym.exe, 00000000.00000003.243571729.0000000005E7D000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dewa
              Source: ttrpym.exe, 00000000.00000003.238783173.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: ttrpym.exe, 00000000.00000003.239436981.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnad
              Source: ttrpym.exe, 00000000.00000003.238783173.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnamFA
              Source: ttrpym.exe, 00000000.00000003.238783173.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnj
              Source: ttrpym.exe, 00000000.00000003.239436981.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnma
              Source: ttrpym.exe, 00000000.00000003.238783173.0000000005E7B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnr-c
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%(
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
              Source: ttrpym.exe, 00000003.00000002.619638629.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
              Source: ttrpym.exe, 00000003.00000002.614226904.0000000000F82000.00000020.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1534863067:AAHgkXiWvRLedLdzn8NhreUVQl7GIuV0U6g/
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1534863067:AAHgkXiWvRLedLdzn8NhreUVQl7GIuV0U6g/sendDocument
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1534863067:AAHgkXiWvRLedLdzn8NhreUVQl7GIuV0U6g/sendDocumentdocument-----
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmp, ttrpym.exe, 00000003.00000002.619638629.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.orgx&.q
              Source: ttrpym.exe, 00000003.00000002.619638629.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.orgx&.qloN
              Source: ttrpym.exe, 00000003.00000003.469945835.0000000007DCC000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repositor
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
              Source: ttrpym.exe, 00000003.00000002.614226904.0000000000F82000.00000020.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
              Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
              Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
              Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49753 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49755 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49757 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49760 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49761 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49762 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49764 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49765 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49766 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49767 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49768 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49769 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49770 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49771 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49772 version: TLS 1.2
              Source: C:\Users\user\Desktop\ttrpym.exeWindow created: window name: CLIPBRDWNDCLASS

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 3.2.ttrpym.exe.f80000.2.unpack, u003cPrivateImplementationDetailsu003eu007b8C8394AEu002d6C21u002d4245u002dBDCBu002d313DD2DA3E81u007d/u003143B5B42u002d09A4u002d4DE1u002d9DA9u002d7F3805A0F092.csLarge array initialization: .cctor: array initializer size 12026
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012BAD42 NtQuerySystemInformation,
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012BAD20 NtQuerySystemInformation,
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 0_2_02DBE798
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 0_2_02DBE792
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 0_2_02DBC434
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_004060F0
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00406159
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_0040A570
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_004107A5
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00405A80
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00402AB0
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00405D60
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00409E70
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_0040AE0F
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_0040BE30
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012C6042
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: String function: 00410D6C appears 44 times
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: String function: 0040443A appears 44 times
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: String function: 004044F1 appears 63 times
              Source: ttrpym.exe, 00000000.00000002.272887494.0000000008D80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ttrpym.exe
              Source: ttrpym.exe, 00000000.00000002.263886998.0000000000C60000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs ttrpym.exe
              Source: ttrpym.exe, 00000003.00000002.614307739.0000000000FCE000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametTIrQqSUbanmBpkFjGvOpEbqCmHMJjJZ.exe4 vs ttrpym.exe
              Source: ttrpym.exe, 00000003.00000002.614132584.0000000000B80000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs ttrpym.exe
              Source: ttrpym.exeBinary or memory string: OriginalFilename vs ttrpym.exe
              Source: C:\Users\user\Desktop\ttrpym.exeSection loaded: security.dll
              Source: ttrpym.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: ttrpym.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 3.2.ttrpym.exe.f80000.2.unpack, e3nXyWx54eXrMCJOPu/eAcKHQHop2SvdpjExo.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.ttrpym.exe.f80000.2.unpack, e3nXyWx54eXrMCJOPu/eAcKHQHop2SvdpjExo.csCryptographic APIs: 'CreateDecryptor'
              Source: ttrpym.exe, 00000000.00000003.250562979.0000000005E7B000.00000004.00000001.sdmpBinary or memory string: Century Schoolbook is a registered trademark of The Monotype Corporation plc.slnt+n\
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@26/2
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012BA5B6 AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012BA57F AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,
              Source: C:\Users\user\Desktop\ttrpym.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ttrpym.exe.logJump to behavior
              Source: C:\Users\user\Desktop\ttrpym.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: ttrpym.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\ttrpym.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\ttrpym.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
              Source: C:\Users\user\Desktop\ttrpym.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
              Source: C:\Users\user\Desktop\ttrpym.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\ttrpym.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\ttrpym.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\ttrpym.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\ttrpym.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\ttrpym.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\ttrpym.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: ttrpym.exeReversingLabs: Detection: 50%
              Source: unknownProcess created: C:\Users\user\Desktop\ttrpym.exe 'C:\Users\user\Desktop\ttrpym.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\ttrpym.exe {path}
              Source: C:\Users\user\Desktop\ttrpym.exeProcess created: C:\Users\user\Desktop\ttrpym.exe {path}
              Source: C:\Users\user\Desktop\ttrpym.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
              Source: C:\Users\user\Desktop\ttrpym.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: ttrpym.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\ttrpym.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: ttrpym.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: ttrpym.exe, GuideListFormatter/GuideListFormatter.cs.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.ttrpym.exe.b80000.0.unpack, GuideListFormatter/GuideListFormatter.cs.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.ttrpym.exe.b80000.0.unpack, GuideListFormatter/GuideListFormatter.cs.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 3.2.ttrpym.exe.aa0000.1.unpack, GuideListFormatter/GuideListFormatter.cs.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 3.0.ttrpym.exe.aa0000.0.unpack, GuideListFormatter/GuideListFormatter.cs.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 0_2_02DBD5EB push 0000005Dh; retn 0004h
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_0041C45C push cs; iretd
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_0041C55E push cs; iretd
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_0041C70E push ebx; ret
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00410DB1 push ecx; ret
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012C517A pushad ; ret
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012C5172 push esp; ret
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012C51A2 pushfd ; ret
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012C73CB push ecx; retf
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012CD67D push ebx; ret
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012C4F38 push 3C012C51h; ret
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012C4F6E push esp; ret
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_0178591D push ebx; iretd
              Source: initial sampleStatic PE information: section name: .text entropy: 7.96541170313
              Source: 3.2.ttrpym.exe.f80000.2.unpack, e3nXyWx54eXrMCJOPu/eAcKHQHop2SvdpjExo.csHigh entropy of concatenated method names: '.cctor', 'EJWuFMmTwcOCj', 'eWaH61iq7', 'eLDx5Mj1j', 'eGN9hjVJU', 'eJNVII0RA', 'NvQ34uZt895nxEhi2FIr', 'ecKhHQop2', 'eSvjdpjEx', 'eo35nXyW5'
              Source: C:\Users\user\Desktop\ttrpym.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
              Source: C:\Users\user\Desktop\ttrpym.exeFunction Chain: threadResumed,threadDelayed,memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,memAlloc,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,memAlloc,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed
              Source: C:\Users\user\Desktop\ttrpym.exeFunction Chain: threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,memAlloc,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,memAlloc,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc,memAlloc,memAlloc
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: ttrpym.exe, 00000000.00000002.264766297.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: ttrpym.exe, 00000000.00000002.264766297.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,
              Source: C:\Users\user\Desktop\ttrpym.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\ttrpym.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\ttrpym.exeWindow / User API: threadDelayed 756
              Source: C:\Users\user\Desktop\ttrpym.exe TID: 6404Thread sleep time: -31500s >= -30000s
              Source: C:\Users\user\Desktop\ttrpym.exe TID: 6428Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\ttrpym.exe TID: 7112Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\ttrpym.exe TID: 7112Thread sleep time: -6540000s >= -30000s
              Source: C:\Users\user\Desktop\ttrpym.exe TID: 7112Thread sleep time: -60000s >= -30000s
              Source: C:\Users\user\Desktop\ttrpym.exe TID: 7112Thread sleep time: -58156s >= -30000s
              Source: C:\Users\user\Desktop\ttrpym.exe TID: 7112Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ttrpym.exeLast function: Thread delayed
              Source: ttrpym.exe, 00000000.00000002.264861199.0000000003030000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: ttrpym.exe, 00000000.00000002.264766297.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: ttrpym.exe, 00000000.00000002.264766297.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: ttrpym.exe, 00000003.00000003.469859605.000000000122C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
              Source: ttrpym.exe, 00000000.00000002.264819317.0000000002FEF000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: ttrpym.exe, 00000000.00000002.264766297.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: ttrpym.exe, 00000000.00000002.264819317.0000000002FEF000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: ttrpym.exe, 00000000.00000002.264861199.0000000003030000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: ttrpym.exe, 00000000.00000002.264766297.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: $l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: ttrpym.exe, 00000000.00000002.264819317.0000000002FEF000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: ttrpym.exe, 00000000.00000002.264766297.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: $l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: C:\Users\user\Desktop\ttrpym.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_004119BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00405550 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,
              Source: C:\Users\user\Desktop\ttrpym.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_004154E1 SetUnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_004119BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00415C0B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00418E39 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\ttrpym.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              .NET source code references suspicious native API functionsShow sources
              Source: 3.2.ttrpym.exe.f80000.2.unpack, e3nXyWx54eXrMCJOPu/eAcKHQHop2SvdpjExo.csReference to suspicious API methods: ('eus1wv2xX', 'WriteProcessMemory@kernel32.dll'), ('eV0SEIQ9r', 'ReadProcessMemory@kernel32.dll'), ('eJNVII0RA', 'FindResource@kernel32.dll'), ('eL9ir86aw', 'LoadLibrary@kernel32'), ('eGN9hjVJU', 'VirtualProtect@kernel32.dll'), ('ev28wIJF8', 'GetProcAddress@kernel32'), ('ekpmC2OjU', 'VirtualProtect@kernel32.dll'), ('ewSXdJPgZ', 'OpenProcess@kernel32.dll')
              Source: C:\Users\user\Desktop\ttrpym.exeProcess created: C:\Users\user\Desktop\ttrpym.exe {path}
              Source: ttrpym.exe, 00000003.00000002.617083257.0000000001B40000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
              Source: ttrpym.exe, 00000003.00000002.617083257.0000000001B40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: ttrpym.exe, 00000003.00000002.617083257.0000000001B40000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: ttrpym.exe, 00000003.00000002.617083257.0000000001B40000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: GetLocaleInfoA,
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Users\user\Desktop\ttrpym.exe VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_00415B06 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
              Source: C:\Users\user\Desktop\ttrpym.exeCode function: 3_2_012BABDE GetUserNameW,
              Source: C:\Users\user\Desktop\ttrpym.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.614226904.0000000000F82000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ttrpym.exe PID: 6732, type: MEMORY
              Source: Yara matchFile source: 3.2.ttrpym.exe.f80000.2.unpack, type: UNPACKEDPE
              Yara detected Telegram RATShow sources
              Source: Yara matchFile source: Process Memory Space: ttrpym.exe PID: 6732, type: MEMORY
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\ttrpym.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\Desktop\ttrpym.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\Users\user\Desktop\ttrpym.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\ttrpym.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Source: C:\Users\user\Desktop\ttrpym.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\ttrpym.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\ttrpym.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: Yara matchFile source: 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ttrpym.exe PID: 6732, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.614226904.0000000000F82000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ttrpym.exe PID: 6732, type: MEMORY
              Source: Yara matchFile source: 3.2.ttrpym.exe.f80000.2.unpack, type: UNPACKEDPE
              Yara detected Telegram RATShow sources
              Source: Yara matchFile source: Process Memory Space: ttrpym.exe PID: 6732, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11OS Credential Dumping2System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsNative API21Boot or Logon Initialization ScriptsAccess Token Manipulation1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Process Injection12Obfuscated Files or Information3Security Account ManagerSystem Information Discovery124SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationEncrypted Channel12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSQuery Registry1Distributed Component Object ModelClipboard Data1Scheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery241SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion13DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection12/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ttrpym.exe50%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
              ttrpym.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              3.2.ttrpym.exe.f80000.2.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://www.carterandcone.comes0%Avira URL Cloudsafe
              http://www.fontbureau.comttvaZ0%Avira URL Cloudsafe
              http://www.zhongyicts.com.cnr-c0%Avira URL Cloudsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.carterandcone.comma0%Avira URL Cloudsafe
              http://www.carterandcone.comamFA0%Avira URL Cloudsafe
              http://www.urwpp.deoi0%Avira URL Cloudsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.founder.com.cn/cnomp0%Avira URL Cloudsafe
              http://www.urwpp.dewa0%Avira URL Cloudsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              http://www.founder.com.cn/cn/m0%Avira URL Cloudsafe
              https://api.telegram.orgx&.q0%Avira URL Cloudsafe
              http://ocsp.godaddy.c0%Avira URL Cloudsafe
              http://www.carterandcone.comd0%URL Reputationsafe
              http://www.carterandcone.comd0%URL Reputationsafe
              http://www.carterandcone.comd0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htmJU0%Avira URL Cloudsafe
              http://www.sandoll.co.krl0%Avira URL Cloudsafe
              http://en.w0%URL Reputationsafe
              http://en.w0%URL Reputationsafe
              http://en.w0%URL Reputationsafe
              http://www.zhongyicts.com.cnj0%Avira URL Cloudsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.founder.com.cn/cn/0%URL Reputationsafe
              http://www.founder.com.cn/cn/0%URL Reputationsafe
              http://www.founder.com.cn/cn/0%URL Reputationsafe
              http://www.tiro.comrporation0%Avira URL Cloudsafe
              http://www.zhongyicts.com.cnad0%Avira URL Cloudsafe
              http://www.zhongyicts.com.cnamFA0%Avira URL Cloudsafe
              http://www.fontbureau.comgritaC0%Avira URL Cloudsafe
              http://www.ascendercorp.com/typedesigners.htmlXUJl0%Avira URL Cloudsafe
              http://www.carterandcone.comkYF=0%Avira URL Cloudsafe
              http://www.carterandcone.comn-u0%URL Reputationsafe
              http://www.carterandcone.comn-u0%URL Reputationsafe
              http://www.carterandcone.comn-u0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.zhongyicts.com.cnma0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.carterandcone.comroa0%Avira URL Cloudsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.sandoll.co.krs-c0%Avira URL Cloudsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cnm0%Avira URL Cloudsafe
              http://www.sandoll.c0%Avira URL Cloudsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              https://api.telegram.orgx&.qloN0%Avira URL Cloudsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.carterandcone.comad0%Avira URL Cloudsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              api.telegram.org
              		149.154.167.220
              		truefalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.carterandcone.comesttrpym.exe, 00000000.00000003.239292340.0000000005E7B000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers/frere-jones.html.ttrpym.exe, 00000000.00000003.245072326.0000000005E7B000.00000004.00000001.sdmpfalse
                  		high
                  http://crl.godaddy.com/gdig2s1-1823.crl0ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designerskYlHttrpym.exe, 00000000.00000003.244441566.0000000005E7D000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comttvaZttrpym.exe, 00000000.00000002.264530973.00000000016D7000.00000004.00000040.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.zhongyicts.com.cnr-cttrpym.exe, 00000000.00000003.238783173.0000000005E7B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sajatypeworks.comttrpym.exe, 00000000.00000003.233656365.0000000005E62000.00000004.00000001.sdmp, ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/cThettrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.commattrpym.exe, 00000000.00000003.239779476.0000000005E7B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers)Yttrpym.exe, 00000000.00000003.245883722.0000000005E7B000.00000004.00000001.sdmpfalse
                          		high
                          http://www.carterandcone.comamFAttrpym.exe, 00000000.00000003.238931261.0000000005E7B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.urwpp.deoittrpym.exe, 00000000.00000003.243771789.0000000005E7D000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlPttrpym.exe, 00000000.00000003.245112917.0000000005E9E000.00000004.00000001.sdmpfalse
                            		high
                            http://www.galapagosdesign.com/DPleasettrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.org/bot1534863067:AAHgkXiWvRLedLdzn8NhreUVQl7GIuV0U6g/ttrpym.exe, 00000003.00000002.614226904.0000000000F82000.00000020.00000001.sdmpfalse
                              		high
                              http://www.ascendercorp.com/typedesigners.htmlttrpym.exe, 00000000.00000003.242053272.0000000005E83000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?Y0ttrpym.exe, 00000000.00000003.244251584.0000000005E7D000.00000004.00000001.sdmpfalse
                                		high
                                http://www.urwpp.deDPleasettrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnompttrpym.exe, 00000000.00000003.238437682.0000000005E7B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.urwpp.dewattrpym.exe, 00000000.00000003.243571729.0000000005E7D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.zhongyicts.com.cnttrpym.exe, 00000000.00000003.238783173.0000000005E7B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://certificates.godaddy.com/repository/gdig2.crt0ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                                  		high
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipttrpym.exe, 00000003.00000002.614226904.0000000000F82000.00000020.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/mttrpym.exe, 00000000.00000003.238160822.0000000005E7B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.telegram.orgx&.qttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmp, ttrpym.exe, 00000003.00000002.619638629.000000000343E000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://ocsp.godaddy.cttrpym.exe, 00000003.00000003.469945835.0000000007DCC000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comdttrpym.exe, 00000000.00000003.239366599.0000000005E7B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hattrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmJUttrpym.exe, 00000000.00000003.247669599.0000000005E7B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://certs.godaddy.com/repository/1301ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krlttrpym.exe, 00000000.00000003.237159926.0000000005E7B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://certs.godaddy.com/repository/0ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                                      		high
                                      https://certs.godaddy.com/repositorttrpym.exe, 00000003.00000003.469945835.0000000007DCC000.00000004.00000001.sdmpfalse
                                        		high
                                        http://en.wttrpym.exe, 00000000.00000003.235365275.0000000005E7B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnjttrpym.exe, 00000000.00000003.238783173.0000000005E7B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comlttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/ttrpym.exe, 00000000.00000003.238052266.0000000005E7B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.godaddy.com/gdroot-g2.crl0Fttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers/frere-jones.htmlttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.tiro.comrporationttrpym.exe, 00000000.00000003.238437682.0000000005E7B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnadttrpym.exe, 00000000.00000003.239436981.0000000005E7B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnamFAttrpym.exe, 00000000.00000003.238783173.0000000005E7B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comgritaCttrpym.exe, 00000000.00000002.264530973.00000000016D7000.00000004.00000040.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ascendercorp.com/typedesigners.htmlXUJlttrpym.exe, 00000000.00000003.241273039.0000000005E83000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.carterandcone.comkYF=ttrpym.exe, 00000000.00000003.239436981.0000000005E7B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.fontbureau.com/designersGttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.carterandcone.comn-uttrpym.exe, 00000000.00000003.239779476.0000000005E7B000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/?ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designersLttrpym.exe, 00000000.00000003.244027978.0000000005E7D000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn/bThettrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://api.telegram.orgttrpym.exe, 00000003.00000002.619638629.000000000343E000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://certificates.godaddy.com/repository/0ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers?ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.zhongyicts.com.cnmattrpym.exe, 00000000.00000003.239436981.0000000005E7B000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.tiro.comttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.carterandcone.comroattrpym.exe, 00000000.00000003.239201394.0000000005E7B000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.goodfont.co.krttrpym.exe, 00000000.00000003.237159926.0000000005E7B000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.carterandcone.comttrpym.exe, 00000000.00000003.239779476.0000000005E7B000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.sandoll.co.krs-cttrpym.exe, 00000000.00000003.237159926.0000000005E7B000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.typography.netDttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.galapagosdesign.com/staff/dennis.htmttrpym.exe, 00000000.00000003.247619500.0000000005E7B000.00000004.00000001.sdmp, ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://fontfabrik.comttrpym.exe, 00000000.00000003.234788164.0000000005E7B000.00000004.00000001.sdmp, ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cnmttrpym.exe, 00000000.00000003.237899138.0000000005E80000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.sandoll.cttrpym.exe, 00000000.00000003.237222343.0000000005E7B000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://api.telegram.org/bot1534863067:AAHgkXiWvRLedLdzn8NhreUVQl7GIuV0U6g/sendDocumentttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://api.ipify.org%GETMozilla/5.0ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		low
                                                          https://api.telegram.orgx&.qloNttrpym.exe, 00000003.00000002.619638629.000000000343E000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		low
                                                          http://www.fonts.comttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.sandoll.co.krttrpym.exe, 00000000.00000003.237222343.0000000005E7B000.00000004.00000001.sdmp, ttrpym.exe, 00000000.00000003.237159926.0000000005E7B000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.carterandcone.comadttrpym.exe, 00000000.00000003.239779476.0000000005E7B000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.urwpp.dettrpym.exe, 00000000.00000003.246313205.0000000005E88000.00000004.00000001.sdmp, ttrpym.exe, 00000000.00000003.243655870.0000000005E7D000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.sakkal.comttrpym.exe, 00000000.00000003.242053272.0000000005E83000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.apache.org/licenses/LICENSE-2.0ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.carterandcone.comexcttrpym.exe, 00000000.00000003.238931261.0000000005E7B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.comttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://DynDns.comDynDNSttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sajatypeworks.comtttrpym.exe, 00000000.00000003.233656365.0000000005E62000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.carterandcone.comTCttrpym.exe, 00000000.00000003.240021767.0000000005E7B000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/sttrpym.exe, 00000000.00000003.243841900.0000000005E7D000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.tiro.compttrpym.exe, 00000000.00000003.239902821.0000000005E7B000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://api.ipify.org%(ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  http://www.tiro.comlicttrpym.exe, 00000000.00000003.240021767.0000000005E7B000.00000004.00000001.sdmp, ttrpym.exe, 00000000.00000003.239945309.0000000005E7B000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://api.telegram.org/bot1534863067:AAHgkXiWvRLedLdzn8NhreUVQl7GIuV0U6g/sendDocumentdocument-----ttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.carterandcone.comddttrpym.exe, 00000000.00000003.239779476.0000000005E7B000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers/cabarga.htmlNttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://pmTUNK.comttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.founder.com.cn/cnttrpym.exe, 00000000.00000003.239436981.0000000005E7B000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comhlyttrpym.exe, 00000000.00000003.238931261.0000000005E7B000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/cabarga.htmlttrpym.exe, 00000000.00000003.245848821.0000000005E9E000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.monotype.ttrpym.exe, 00000000.00000003.243086872.0000000005E7D000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.commttrpym.exe, 00000000.00000002.264530973.00000000016D7000.00000004.00000040.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.jiyu-kobo.co.jp/ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://crl.godaddy.com/gdroot.crl0Fttrpym.exe, 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.carterandcone.comEacdWttrpym.exe, 00000000.00000003.240021767.0000000005E7B000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/designers8ttrpym.exe, 00000000.00000002.272513220.0000000007072000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.carterandcone.comt;Fttrpym.exe, 00000000.00000003.239436981.0000000005E7B000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		low
                                                                            http://cert.sttrpym.exe, 00000003.00000003.522255884.0000000007DEC000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.fontbureau.com/designers/mttrpym.exe, 00000000.00000003.243841900.0000000005E7D000.00000004.00000001.sdmpfalse
                                                                              		high

                                                                              Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              149.154.167.220
                                                                              		unknownUnited Kingdom
                                                                              		62041TELEGRAMRUfalse

                                                                              Private

                                                                              IP
                                                                              192.168.2.1

                                                                              General Information

                                                                              Joe Sandbox Version:31.0.0 Emerald
                                                                              Analysis ID:345001
                                                                              Start date:27.01.2021
                                                                              Start time:15:38:48
                                                                              Joe Sandbox Product:CloudBasic
                                                                              Overall analysis duration:0h 9m 8s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:light
                                                                              Sample file name:ttrpym.exe
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                              Number of analysed new started processes analysed:23
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • HDC enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.evad.winEXE@3/2@26/2
                                                                              EGA Information:Failed
                                                                              HDC Information:
                                                                              • Successful, ratio: 5.9% (good quality ratio 5.8%)
                                                                              • Quality average: 90.8%
                                                                              • Quality standard deviation: 21%
                                                                              HCA Information:
                                                                              • Successful, ratio: 75%
                                                                              • Number of executed functions: 0
                                                                              • Number of non-executed functions: 0
                                                                              Cookbook Comments:
                                                                              • Adjust boot time
                                                                              • Enable AMSI
                                                                              • Found application associated with file extension: .exe
                                                                              Warnings:
                                                                              Show All
                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                              • TCP Packets have been reduced to 100
                                                                              • Excluded IPs from analysis (whitelisted): 104.43.193.48, 168.61.161.212, 40.88.32.150, 23.210.248.85, 51.104.144.132, 67.26.81.254, 8.248.121.254, 8.241.123.254, 67.27.159.254, 67.27.158.126, 93.184.221.240, 51.103.5.159, 52.155.217.156, 20.54.26.129, 95.101.22.224, 95.101.22.216, 51.104.139.180
                                                                              • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net
                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/345001/sample/ttrpym.exe

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              15:39:49API Interceptor1008x Sleep call for process: ttrpym.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              149.154.167.220SecuriteInfo.com.Trojan.PackedNET.519.21836.exeGet hashmaliciousBrowse
                                                                                RFQ RPM202011-776JD.jpg.lnkGet hashmaliciousBrowse
                                                                                  commercial invoice packing list.xlsxGet hashmaliciousBrowse
                                                                                    Updated Invoice{swift..exeGet hashmaliciousBrowse
                                                                                      RFQ #6553928_PDF.exeGet hashmaliciousBrowse
                                                                                        MTD INVOICE.exeGet hashmaliciousBrowse
                                                                                          Payment Confirmation Paper - Customer Copy_pdf.exeGet hashmaliciousBrowse
                                                                                            MDS5932RFQ.exeGet hashmaliciousBrowse
                                                                                              TJyVCvjegT.exeGet hashmaliciousBrowse
                                                                                                Simulteanous-Project.exeGet hashmaliciousBrowse
                                                                                                  PO 012658.exeGet hashmaliciousBrowse
                                                                                                    RQN0004266.exeGet hashmaliciousBrowse
                                                                                                      tnD89iJ2Vx.exeGet hashmaliciousBrowse
                                                                                                        zff.exeGet hashmaliciousBrowse
                                                                                                          trr.exeGet hashmaliciousBrowse
                                                                                                            4dVgkhY953.exeGet hashmaliciousBrowse
                                                                                                              CI_PL_BL.xlsxGet hashmaliciousBrowse
                                                                                                                RFQ 130121.exeGet hashmaliciousBrowse
                                                                                                                  PO 130121.exeGet hashmaliciousBrowse
                                                                                                                    ttr.exeGet hashmaliciousBrowse

                                                                                                                      Domains

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                      api.telegram.orgSecuriteInfo.com.Trojan.PackedNET.519.21836.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      RFQ RPM202011-776JD.jpg.lnkGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      commercial invoice packing list.xlsxGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Updated Invoice{swift..exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      RFQ #6553928_PDF.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      MTD INVOICE.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Payment Confirmation Paper - Customer Copy_pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      MDS5932RFQ.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Simulteanous-Project.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      PO 012658.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      RQN0004266.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      SecuriteInfo.com.Trojan.PackedNET.500.8394.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      tnD89iJ2Vx.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      zff.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      trr.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      4dVgkhY953.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      CI_PL_BL.xlsxGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      RFQ 130121.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      PO 130121.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      ttr.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220

                                                                                                                      ASN

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                      TELEGRAMRUSecuriteInfo.com.Trojan.PackedNET.519.21836.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      RFQ RPM202011-776JD.jpg.lnkGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      commercial invoice packing list.xlsxGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Updated Invoice{swift..exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      RFQ #6553928_PDF.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      MTD INVOICE.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Payment Confirmation Paper - Customer Copy_pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      MDS5932RFQ.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      TJyVCvjegT.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Simulteanous-Project.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      PO 012658.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      RQN0004266.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      tnD89iJ2Vx.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      zff.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      trr.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      4dVgkhY953.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      CI_PL_BL.xlsxGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      RFQ 130121.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      PO 130121.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      ttr.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220

                                                                                                                      JA3 Fingerprints

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0eroboforex4multisetup.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      MV TAN BINH 135.pdf.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      SecuriteInfo.com.Variant.Zusy.363976.7571.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      SecuriteInfo.com.Trojan.PackedNET.519.21836.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      RFQ RPM202011-776JD.jpg.lnkGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      8Aobnx1VRi.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      RFQ-Strip Casting Line.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      NEW ORDER PO 20200909.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      U1G3qA2l4I.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Updated Invoice{swift..exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      SecuriteInfo.com.BehavesLike.Win32.Generic.mh.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      RFQ #6553928_PDF.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      SPpfYOx5Ju.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      MTD INVOICE.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Online_doc20.01.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      090008000000000000.exeGet hashmaliciousBrowse
                                                                                                                      • 149.154.167.220

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ttrpym.exe.log
                                                                                                                      Process:C:\Users\user\Desktop\ttrpym.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1216
                                                                                                                      Entropy (8bit):5.355304211458859
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                      MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                      SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                      SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                      SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                      Malicious:true
                                                                                                                      Reputation:high, very likely benign file
                                                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                                      C:\Users\user\AppData\Roaming\nozq152y.bbo\Chrome\Default\Cookies
                                                                                                                      Process:C:\Users\user\Desktop\ttrpym.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):20480
                                                                                                                      Entropy (8bit):0.6969296358976265
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBo2+tYeF+X:T5LLOpEO5J/Kn7U1uBo2UYeQ
                                                                                                                      MD5:A9DBC7B8E523ABE3B02D77DBF2FCD645
                                                                                                                      SHA1:DF5EE16ECF4B3B02E312F935AE81D4C5D2E91CA8
                                                                                                                      SHA-256:39B4E45A062DEA6F541C18FA1A15C5C0DB43A59673A26E2EB5B8A4345EE767AE
                                                                                                                      SHA-512:3CF87455263E395313E779D4F440D8405D86244E04B5F577BB9FA2F4A2069DE019D340F6B2F6EF420DEE3D3DEEFD4B58DA3FCA3BB802DE348E1A810D6379CC3B
                                                                                                                      Malicious:false
                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                      Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Entropy (8bit):7.961464624984834
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                      File name:ttrpym.exe
                                                                                                                      File size:907776
                                                                                                                      MD5:3b53c639bd8ea883e5036a040f833415
                                                                                                                      SHA1:af2f707e2e787879a67994fbad96c3e2f418dd3a
                                                                                                                      SHA256:eca6a35d952f84597c3917f4c77f8c0e2cdeea6101caa97906dc1904e6f9e0ea
                                                                                                                      SHA512:d4788d45a4d9f240b1a1a39662af2e2ade354d8d2b2d6abc0488536f5e0f24531457fdba5ab2c8ea89cb359616ef83d774d52655e2281d46f63870972522b833
                                                                                                                      SSDEEP:24576:5pVLHCXj6FjdUXDvOTmNjfUeNp8b/1TR01bNP8VZ:53LH+uddUTvOEzUC21TROb98V
                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0.............*.... ........@.. .......................@............@................................

                                                                                                                      File Icon

                                                                                                                      Icon Hash:00828e8e8686b000

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x4def2a
                                                                                                                      Entrypoint Section:.text
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                      Time Stamp:0x6010ACC3 [Tue Jan 26 23:58:59 2021 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                                                      OS Version Major:4
                                                                                                                      OS Version Minor:0
                                                                                                                      File Version Major:4
                                                                                                                      File Version Minor:0
                                                                                                                      Subsystem Version Major:4
                                                                                                                      Subsystem Version Minor:0
                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xdeed80x4f.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x58c.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x20000xdcf300xdd000False0.963299367223data7.96541170313IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                      .rsrc0xe00000x58c0x600False0.414713541667data4.04029792959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .reloc0xe20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                      RT_VERSION0xe00900x2fcdata
                                                                                                                      RT_MANIFEST0xe039c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                      Version Infos

                                                                                                                      DescriptionData
                                                                                                                      Translation0x0000 0x04b0
                                                                                                                      LegalCopyrightCopyright 2018
                                                                                                                      Assembly Version1.0.0.0
                                                                                                                      InternalNameo.exe
                                                                                                                      FileVersion1.0.0.0
                                                                                                                      CompanyName
                                                                                                                      LegalTrademarks
                                                                                                                      Comments
                                                                                                                      ProductNameMathLib
                                                                                                                      ProductVersion1.0.0.0
                                                                                                                      FileDescriptionMathLib
                                                                                                                      OriginalFilenameo.exe

                                                                                                                      Network Behavior

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Jan 27, 2021 15:40:28.687222004 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:28.737272978 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:28.737596035 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:28.793538094 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:28.843585014 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:28.843657970 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:28.843683004 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:28.843707085 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:28.843724012 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:28.843780994 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:28.843802929 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:28.844851971 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:28.844871044 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:28.844955921 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:28.851510048 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:28.901681900 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:28.982672930 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:29.034112930 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.037432909 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:29.087413073 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.087440014 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.087450027 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.087477922 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.087596893 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:29.087645054 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:29.135551929 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.136955023 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:29.138926029 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.138961077 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.138972998 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.138984919 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.138995886 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.139010906 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.139024019 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.139036894 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:29.139053106 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.139132977 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:29.189526081 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.191422939 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.191474915 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.191508055 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.191533089 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.191557884 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.191582918 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.191606998 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:30.302746058 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:30.302782059 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:30.302870989 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:31.300745010 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:31.350812912 CET44349733149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:31.350900888 CET49733443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.070513010 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.120078087 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.120181084 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.121416092 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.170907021 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.171019077 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.171075106 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.171106100 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.171130896 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.171142101 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.171180964 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.172120094 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.172161102 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.172204018 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.174921989 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.224741936 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.244679928 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.294336081 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.295227051 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.344839096 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.344877958 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.344893932 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.344907999 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.345141888 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.345217943 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.396123886 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.396148920 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.396157980 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.396163940 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.396178961 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.396294117 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.396374941 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:32.396724939 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.396738052 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.396752119 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.447319984 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.447346926 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.447364092 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.447376966 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.447402954 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.447448969 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.447463989 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.612437010 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.612463951 CET44349737149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.612569094 CET49737443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:36.677257061 CET49744443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:36.728257895 CET44349744149.154.167.220192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:36.728379011 CET49744443192.168.2.7149.154.167.220
                                                                                                                      Jan 27, 2021 15:40:36.729243040 CET49744443192.168.2.7149.154.167.220

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Jan 27, 2021 15:39:33.715507984 CET5432953192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:33.763349056 CET53543298.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:34.669538021 CET5805253192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:34.717581034 CET53580528.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:35.843195915 CET5400853192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:35.892709017 CET53540088.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:38.025835991 CET5945153192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:38.082242966 CET53594518.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:39.053725004 CET5291453192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:39.101902008 CET53529148.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:40.089294910 CET6456953192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:40.139744043 CET53645698.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:41.635791063 CET5281653192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:41.694269896 CET53528168.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:42.905051947 CET5078153192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:42.952841997 CET53507818.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:44.429778099 CET5423053192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:44.479804039 CET53542308.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:45.867139101 CET5491153192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:45.917840004 CET53549118.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:46.875595093 CET4995853192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:46.923955917 CET53499588.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:47.852305889 CET5086053192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:47.900228024 CET53508608.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:49.135725021 CET5045253192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:49.186652899 CET53504528.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:50.156994104 CET5973053192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:50.221220016 CET53597308.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:51.147923946 CET5931053192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:51.207005978 CET53593108.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:39:54.711616993 CET5191953192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:39:54.772500038 CET53519198.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:04.847881079 CET6429653192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:04.898616076 CET53642968.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:22.687508106 CET5668053192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:22.736802101 CET53566808.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:22.843063116 CET5882053192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:22.893771887 CET53588208.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:23.025090933 CET6098353192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:23.072978020 CET53609838.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:26.948806047 CET4924753192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:27.724040985 CET5228653192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:28.005475998 CET4924753192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:28.658900976 CET53492478.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:28.659524918 CET53492478.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:28.690206051 CET53522868.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:29.574579000 CET5606453192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:29.636046886 CET53560648.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:30.392115116 CET6374453192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:30.474877119 CET53637448.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:31.338669062 CET6145753192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:31.390422106 CET53614578.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.106720924 CET5836753192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:32.163254023 CET53583678.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:32.832277060 CET6059953192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:32.891266108 CET53605998.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:33.527162075 CET5957153192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:33.584872007 CET53595718.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:33.710160971 CET5268953192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:33.773241043 CET53526898.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:34.985593081 CET5029053192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:35.044379950 CET53502908.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:36.149755001 CET6042753192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:36.205991030 CET53604278.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:36.624577045 CET5620953192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:36.675945044 CET53562098.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:37.106697083 CET5958253192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:37.165129900 CET53595828.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:37.999283075 CET6094953192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:38.055941105 CET53609498.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:38.533976078 CET5854253192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:38.596560955 CET53585428.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:42.044061899 CET5917953192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:42.094304085 CET53591798.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:47.259381056 CET6092753192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:47.310029984 CET53609278.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:52.646893978 CET5785453192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:52.697794914 CET53578548.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:40:58.084070921 CET6202653192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:40:58.134624004 CET53620268.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:41:03.597238064 CET5945353192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:41:03.645111084 CET53594538.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:41:09.098335028 CET6246853192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:41:09.146516085 CET53624688.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:41:09.195938110 CET5256353192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:41:09.243799925 CET53525638.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:41:10.637166023 CET5472153192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:41:10.693717957 CET53547218.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:41:14.693689108 CET6282653192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:41:14.746314049 CET53628268.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:41:20.273941994 CET6204653192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:41:20.332885981 CET53620468.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:41:30.856502056 CET5122353192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:41:30.914367914 CET53512238.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:41:31.014096022 CET6390853192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:41:31.070439100 CET53639088.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:41:35.566085100 CET4922653192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:41:35.624517918 CET53492268.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:41:40.251019001 CET6021253192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:41:40.301875114 CET53602128.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:41:44.977015972 CET5886753192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:41:45.026854038 CET53588678.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:41:55.161653042 CET5086453192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:41:56.198138952 CET5086453192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:41:56.248830080 CET53508648.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:42:03.052429914 CET6150453192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:42:03.101008892 CET53615048.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:42:11.725560904 CET6023153192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:42:11.773346901 CET53602318.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:42:20.497102022 CET5009553192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:42:20.547625065 CET53500958.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:42:29.290561914 CET5965453192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:42:30.305404902 CET5965453192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:42:31.301431894 CET5965453192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:42:31.349600077 CET53596548.8.8.8192.168.2.7
                                                                                                                      Jan 27, 2021 15:42:37.549274921 CET5823353192.168.2.78.8.8.8
                                                                                                                      Jan 27, 2021 15:42:37.599611998 CET53582338.8.8.8192.168.2.7

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                      Jan 27, 2021 15:40:26.948806047 CET192.168.2.78.8.8.80x3f26Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:28.005475998 CET192.168.2.78.8.8.80x3f26Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:31.338669062 CET192.168.2.78.8.8.80x4202Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:36.624577045 CET192.168.2.78.8.8.80x8badStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:42.044061899 CET192.168.2.78.8.8.80x307bStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:47.259381056 CET192.168.2.78.8.8.80xc18cStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:52.646893978 CET192.168.2.78.8.8.80xc3dcStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:58.084070921 CET192.168.2.78.8.8.80x399fStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:03.597238064 CET192.168.2.78.8.8.80x47aStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:09.098335028 CET192.168.2.78.8.8.80x8b7bStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:14.693689108 CET192.168.2.78.8.8.80x2aa9Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:20.273941994 CET192.168.2.78.8.8.80x6dd9Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:30.856502056 CET192.168.2.78.8.8.80xfd15Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:31.014096022 CET192.168.2.78.8.8.80xdb27Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:35.566085100 CET192.168.2.78.8.8.80x3a3cStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:40.251019001 CET192.168.2.78.8.8.80x5d07Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:44.977015972 CET192.168.2.78.8.8.80x9502Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:55.161653042 CET192.168.2.78.8.8.80x93caStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:56.198138952 CET192.168.2.78.8.8.80x93caStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:42:03.052429914 CET192.168.2.78.8.8.80xcb65Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:42:11.725560904 CET192.168.2.78.8.8.80x5bddStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:42:20.497102022 CET192.168.2.78.8.8.80x6a7eStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:42:29.290561914 CET192.168.2.78.8.8.80xc759Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:42:30.305404902 CET192.168.2.78.8.8.80xc759Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:42:31.301431894 CET192.168.2.78.8.8.80xc759Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:42:37.549274921 CET192.168.2.78.8.8.80xc568Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                      Jan 27, 2021 15:40:28.658900976 CET8.8.8.8192.168.2.70x3f26No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:28.659524918 CET8.8.8.8192.168.2.70x3f26No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:31.390422106 CET8.8.8.8192.168.2.70x4202No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:36.675945044 CET8.8.8.8192.168.2.70x8badNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:42.094304085 CET8.8.8.8192.168.2.70x307bNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:47.310029984 CET8.8.8.8192.168.2.70xc18cNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:52.697794914 CET8.8.8.8192.168.2.70xc3dcNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:40:58.134624004 CET8.8.8.8192.168.2.70x399fNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:03.645111084 CET8.8.8.8192.168.2.70x47aNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:09.146516085 CET8.8.8.8192.168.2.70x8b7bNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:14.746314049 CET8.8.8.8192.168.2.70x2aa9No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:20.332885981 CET8.8.8.8192.168.2.70x6dd9No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:30.914367914 CET8.8.8.8192.168.2.70xfd15No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:31.070439100 CET8.8.8.8192.168.2.70xdb27No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:35.624517918 CET8.8.8.8192.168.2.70x3a3cNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:40.301875114 CET8.8.8.8192.168.2.70x5d07No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:45.026854038 CET8.8.8.8192.168.2.70x9502No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:41:56.248830080 CET8.8.8.8192.168.2.70x93caNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:42:03.101008892 CET8.8.8.8192.168.2.70xcb65No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:42:11.773346901 CET8.8.8.8192.168.2.70x5bddNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:42:20.547625065 CET8.8.8.8192.168.2.70x6a7eNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:42:31.349600077 CET8.8.8.8192.168.2.70xc759No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                                      Jan 27, 2021 15:42:37.599611998 CET8.8.8.8192.168.2.70xc568No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                                                                      HTTPS Packets

                                                                                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                      Jan 27, 2021 15:40:28.844851971 CET149.154.167.220443192.168.2.749733CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:40:32.172120094 CET149.154.167.220443192.168.2.749737CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:40:36.780297041 CET149.154.167.220443192.168.2.749744CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:40:42.199759960 CET149.154.167.220443192.168.2.749752CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:40:47.413180113 CET149.154.167.220443192.168.2.749753CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:40:52.801297903 CET149.154.167.220443192.168.2.749754CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:40:58.239384890 CET149.154.167.220443192.168.2.749755CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:41:03.753128052 CET149.154.167.220443192.168.2.749756CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:41:09.253482103 CET149.154.167.220443192.168.2.749757CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:41:14.850255013 CET149.154.167.220443192.168.2.749760CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:41:20.446326017 CET149.154.167.220443192.168.2.749761CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:41:31.024688005 CET149.154.167.220443192.168.2.749762CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:41:35.728291988 CET149.154.167.220443192.168.2.749764CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:41:40.411825895 CET149.154.167.220443192.168.2.749765CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:41:45.141561031 CET149.154.167.220443192.168.2.749766CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:41:56.357264996 CET149.154.167.220443192.168.2.749767CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:42:03.210078001 CET149.154.167.220443192.168.2.749768CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:42:11.882802963 CET149.154.167.220443192.168.2.749769CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:42:20.660326004 CET149.154.167.220443192.168.2.749770CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:42:31.467353106 CET149.154.167.220443192.168.2.749771CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                      Jan 27, 2021 15:42:37.710154057 CET149.154.167.220443192.168.2.749772CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034

                                                                                                                      Code Manipulations

                                                                                                                      Statistics

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      Analysis Process: ttrpym.exe PID: 6400 Parent PID: 5768

                                                                                                                      General

                                                                                                                      Start time:15:39:38
                                                                                                                      Start date:27/01/2021
                                                                                                                      Path:C:\Users\user\Desktop\ttrpym.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:'C:\Users\user\Desktop\ttrpym.exe'
                                                                                                                      Imagebase:0xb80000
                                                                                                                      File size:907776 bytes
                                                                                                                      MD5 hash:3B53C639BD8EA883E5036A040F833415
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: ttrpym.exe PID: 6732 Parent PID: 6400

                                                                                                                      General

                                                                                                                      Start time:15:39:52
                                                                                                                      Start date:27/01/2021
                                                                                                                      Path:C:\Users\user\Desktop\ttrpym.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:{path}
                                                                                                                      Imagebase:0xaa0000
                                                                                                                      File size:907776 bytes
                                                                                                                      MD5 hash:3B53C639BD8EA883E5036A040F833415
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.619489004.0000000003391000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.614226904.0000000000F82000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                      Reputation:low

                                                                                                                      Disassembly

                                                                                                                      Code Analysis

                                                                                                                      Reset < >