Loading ...

Play interactive tourEdit tour

Windows Analysis Report U57z89iyVo.exe

Overview

General Information

Sample Name:U57z89iyVo.exe
Analysis ID:546723
MD5:a24919ea7bfce78d50511bac92771d3d
SHA1:7d69da083289909d3a440989aa63c8a24ca78bec
SHA256:b608e81d6c6a42e1c2f39b484697362ca1a1835b3a13ed878a350841aa9806ae
Tags:Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected Dridex e-Banking trojan
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to query network adapater information
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • U57z89iyVo.exe (PID: 7012 cmdline: "C:\Users\user\Desktop\U57z89iyVo.exe" MD5: A24919EA7BFCE78D50511BAC92771D3D)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 10111, "C2 list": ["103.9.36.172:443", "103.70.29.126:593", "46.101.175.170:10172"], "RC4 keys": ["CisvU52kuCqMOp5DJVJjX7NpSOgbFn5Z", "BuEjfhtq8TjhQNb5njPJFUKys2hxPATu0lv0D3Dehj6DP2DBu0bINeCHPnMKWBGwRiks5KDBnA"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.610353807.0000000000400000.00000040.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    00000000.00000002.614056439.0000000002260000.00000040.00000001.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.U57z89iyVo.exe.2260000.1.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        0.2.U57z89iyVo.exe.400000.0.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          0.2.U57z89iyVo.exe.2260000.1.raw.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            0.2.U57z89iyVo.exe.400000.0.raw.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 0.2.U57z89iyVo.exe.400000.0.unpackMalware Configuration Extractor: Dridex {"Version": 10111, "C2 list": ["103.9.36.172:443", "103.70.29.126:593", "46.101.175.170:10172"], "RC4 keys": ["CisvU52kuCqMOp5DJVJjX7NpSOgbFn5Z", "BuEjfhtq8TjhQNb5njPJFUKys2hxPATu0lv0D3Dehj6DP2DBu0bINeCHPnMKWBGwRiks5KDBnA"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: U57z89iyVo.exeVirustotal: Detection: 52%Perma Link
              Source: U57z89iyVo.exeMetadefender: Detection: 25%Perma Link
              Source: U57z89iyVo.exeReversingLabs: Detection: 77%
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: U57z89iyVo.exeAvira: detected
              Machine Learning detection for sampleShow sources
              Source: U57z89iyVo.exeJoe Sandbox ML: detected

              Compliance:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\U57z89iyVo.exeUnpacked PE file: 0.2.U57z89iyVo.exe.400000.0.unpack
              Source: U57z89iyVo.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: unknownHTTPS traffic detected: 103.9.36.172:443 -> 192.168.2.6:49755 version: TLS 1.2
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0042CEF8 FindFirstFileExW,0_2_0042CEF8

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorIPs: 103.9.36.172:443
              Source: Malware configuration extractorIPs: 103.70.29.126:593
              Source: Malware configuration extractorIPs: 46.101.175.170:10172
              Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
              Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: global trafficTCP traffic: 192.168.2.6:49756 -> 103.70.29.126:593
              Source: global trafficTCP traffic: 192.168.2.6:49758 -> 46.101.175.170:10172
              Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
              Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
              Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
              Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
              Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
              Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
              Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
              Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
              Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
              Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
              Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:35:35 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:35:41 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:35:44 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:35:48 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:35:52 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:35:55 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:01 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:04 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:09 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:13 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:19 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:23 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:27 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:31 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:34 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:37 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:41 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:46 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:49 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:52 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:56 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:36:59 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:37:02 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:37:05 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:37:08 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:37:12 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:37:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:37:22 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:37:25 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:37:28 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 06:37:33 GMTContent-Type: text/plain; charset=utf-8Connection: close
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 46.101.175.170
              Source: unknownTCP traffic detected without corresponding DNS query: 46.101.175.170
              Source: unknownTCP traffic detected without corresponding DNS query: 46.101.175.170
              Source: unknownTCP traffic detected without corresponding DNS query: 46.101.175.170
              Source: unknownTCP traffic detected without corresponding DNS query: 46.101.175.170
              Source: unknownTCP traffic detected without corresponding DNS query: 46.101.175.170
              Source: unknownTCP traffic detected without corresponding DNS query: 46.101.175.170
              Source: unknownTCP traffic detected without corresponding DNS query: 46.101.175.170
              Source: unknownTCP traffic detected without corresponding DNS query: 46.101.175.170
              Source: unknownTCP traffic detected without corresponding DNS query: 46.101.175.170
              Source: unknownTCP traffic detected without corresponding DNS query: 46.101.175.170
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.9.36.172
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: unknownTCP traffic detected without corresponding DNS query: 103.70.29.126
              Source: U57z89iyVo.exe, 00000000.00000003.442351550.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440695040.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.352919513.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497439551.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447775453.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613709229.0000000000839000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.351024149.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.359259578.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: U57z89iyVo.exe, 00000000.00000003.442351550.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440695040.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497439551.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447775453.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613709229.0000000000839000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.359259578.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: U57z89iyVo.exe, 00000000.00000003.442351550.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440695040.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497439551.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447775453.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613709229.0000000000839000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.359259578.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: U57z89iyVo.exe, 00000000.00000003.442351550.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440695040.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497439551.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447775453.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613709229.0000000000839000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.359259578.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126/
              Source: U57z89iyVo.exe, 00000000.00000003.442351550.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440695040.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497439551.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447775453.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613709229.0000000000839000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.359259578.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126/d
              Source: U57z89iyVo.exe, 00000000.00000003.570147173.00000000030D1000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464053812.00000000030D1000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.359259578.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.471924047.00000000030D1000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581367661.00000000030D1000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.570683538.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552890321.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485741283.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.614292594.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552868744.00000000030D1000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.471933911.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440824322.00000000008A5000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447752203.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497414674.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464063915.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511289422.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.456992109.00000000030D1000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581377783.00000000030DD000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/
              Source: U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.359259578.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/(
              Source: U57z89iyVo.exe, 00000000.00000003.442351550.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440695040.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497439551.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447775453.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613709229.0000000000839000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.359259578.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/3
              Source: U57z89iyVo.exe, 00000000.00000003.471933911.00000000030DD000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/850
              Source: U57z89iyVo.exe, 00000000.00000003.457008319.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485741283.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.614292594.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447752203.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497414674.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511289422.00000000030DD000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/AES
              Source: U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/C
              Source: U57z89iyVo.exe, 00000000.00000003.457008319.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.614292594.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447752203.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464063915.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581377783.00000000030DD000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/D
              Source: U57z89iyVo.exe, 00000000.00000003.511274333.00000000030D1000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/E
              Source: U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447775453.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/S
              Source: U57z89iyVo.exe, 00000000.00000003.457008319.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485741283.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497414674.00000000030DD000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/aphy
              Source: U57z89iyVo.exe, 00000000.00000003.485688456.00000000030D1000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581367661.00000000030D1000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/dll
              Source: U57z89iyVo.exe, 00000000.00000003.471924047.00000000030D1000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/dllE
              Source: U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.359259578.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/ll
              Source: U57z89iyVo.exe, 00000000.00000003.570683538.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.471933911.00000000030DD000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/nced
              Source: U57z89iyVo.exe, 00000000.00000003.440667982.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552890321.00000000030DD000.00000004.00000001.sdmpString found in binary or memory: https://103.70.29.126:593/osoft
              Source: U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.611019614.00000000007CA000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.587873957.00000000030D1000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447752203.00000000030DD000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172/
              Source: U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172/(
              Source: U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172//
              Source: U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172/101.175.170/GlobalSign
              Source: U57z89iyVo.exe, 00000000.00000003.497439551.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613709229.0000000000839000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172/101.175.170:10172/
              Source: U57z89iyVo.exe, 00000000.00000003.442351550.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440695040.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497439551.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447775453.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613709229.0000000000839000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172/101.175.170:10172/ication
              Source: U57z89iyVo.exe, 00000000.00000003.447775453.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613709229.0000000000839000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172/:
              Source: U57z89iyVo.exe, 00000000.00000003.497439551.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172/D
              Source: U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172/V
              Source: U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497439551.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172/iversal
              Source: U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172/n
              Source: U57z89iyVo.exe, 00000000.00000003.581377783.00000000030DD000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172/rsaenh.dll
              Source: U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172/t
              Source: U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://103.9.36.172/y
              Source: U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170/
              Source: U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170/:
              Source: U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170/GlobalSign
              Source: U57z89iyVo.exe, 00000000.00000003.442351550.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440695040.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497439551.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447775453.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613709229.0000000000839000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170/K
              Source: U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440695040.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170/g
              Source: U57z89iyVo.exe, 00000000.00000003.442351550.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440695040.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497439551.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447775453.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613709229.0000000000839000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170/r
              Source: U57z89iyVo.exe, 00000000.00000003.442351550.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613851853.0000000000899000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440807882.0000000000899000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440695040.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.497439551.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.447775453.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.457039195.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.614280442.00000000030D1000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.442321974.00000000030D1000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.472029303.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.511398374.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613709229.0000000000839000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440652388.00000000030D1000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.611019614.00000000007CA000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.478773734.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170:10172/
              Source: U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170:10172/7
              Source: U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170:10172/H
              Source: U57z89iyVo.exe, 00000000.00000002.613851853.0000000000899000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440807882.0000000000899000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170:10172/Q
              Source: U57z89iyVo.exe, 00000000.00000002.613851853.0000000000899000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440807882.0000000000899000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170:10172/g
              Source: U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.364819759.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170:10172/h
              Source: U57z89iyVo.exe, 00000000.00000003.417156356.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.485816826.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.574622322.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.552931844.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000002.613709229.0000000000839000.00000004.00000020.sdmp, U57z89iyVo.exe, 00000000.00000003.587983799.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.581433085.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170:10172/ication
              Source: U57z89iyVo.exe, 00000000.00000002.613851853.0000000000899000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.440807882.0000000000899000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170:10172/l
              Source: U57z89iyVo.exe, 00000000.00000002.613851853.0000000000899000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170:10172/l?
              Source: U57z89iyVo.exe, 00000000.00000002.613851853.0000000000899000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170:10172/lC
              Source: U57z89iyVo.exe, 00000000.00000003.388406771.0000000000839000.00000004.00000001.sdmp, U57z89iyVo.exe, 00000000.00000003.397252472.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170:10172/p
              Source: U57z89iyVo.exe, 00000000.00000003.464082503.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://46.101.175.170:10172/y
              Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4850Connection: CloseCache-Control: no-cache
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004339F9 InternetReadFile,0_2_004339F9
              Source: unknownHTTPS traffic detected: 103.9.36.172:443 -> 192.168.2.6:49755 version: TLS 1.2
              Source: U57z89iyVo.exe, 00000000.00000002.611019614.00000000007CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud:

              barindex
              Yara detected Dridex unpacked fileShow sources
              Source: Yara matchFile source: 0.2.U57z89iyVo.exe.2260000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.U57z89iyVo.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.U57z89iyVo.exe.2260000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.U57z89iyVo.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.610353807.0000000000400000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.614056439.0000000002260000.00000040.00000001.sdmp, type: MEMORY
              Detected Dridex e-Banking trojanShow sources
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00405150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,0_2_00405150
              Source: U57z89iyVo.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004051500_2_00405150
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004167C80_2_004167C8
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004210200_2_00421020
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0041D0300_2_0041D030
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004188C00_2_004188C0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00418CC00_2_00418CC0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0040ACD00_2_0040ACD0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0041A0D00_2_0041A0D0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004198DA0_2_004198DA
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0041E0A00_2_0041E0A0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0042DCA00_2_0042DCA0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004250A00_2_004250A0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00424CA00_2_00424CA0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00425CB00_2_00425CB0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004175640_2_00417564
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004015700_2_00401570
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0041FDD00_2_0041FDD0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004289F00_2_004289F0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004271F00_2_004271F0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0041D9800_2_0041D980
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0042D1800_2_0042D180
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0041C5900_2_0041C590
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0040F9A00_2_0040F9A0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004212400_2_00421240
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0041A6600_2_0041A660
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004276600_2_00427660
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00422E600_2_00422E60
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00409E700_2_00409E70
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00419E700_2_00419E70
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0040CA100_2_0040CA10
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0042FA100_2_0042FA10
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004202200_2_00420220
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0042D6200_2_0042D620
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00423EC00_2_00423EC0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0042FA100_2_0042FA10
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00406AD00_2_00406AD0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004196D00_2_004196D0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0041F6E00_2_0041F6E0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0041B6F00_2_0041B6F0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00418EF00_2_00418EF0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004262F00_2_004262F0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0041AE800_2_0041AE80
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00418AB00_2_00418AB0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00421EB00_2_00421EB0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004226B00_2_004226B0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0041BF500_2_0041BF50
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00415B600_2_00415B60
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00423B000_2_00423B00
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00429B100_2_00429B10
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004217300_2_00421730
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004183C00_2_004183C0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00417FC00_2_00417FC0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00427FC00_2_00427FC0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0041E3F00_2_0041E3F0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_004122A0 NtDelayExecution,0_2_004122A0
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0042BE30 NtClose,0_2_0042BE30
              Source: U57z89iyVo.exe, 00000000.00000002.610560386.00000000004A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePropSchemasetip.exeX vs U57z89iyVo.exe
              Source: U57z89iyVo.exeBinary or memory string: OriginalFilenamePropSchemasetip.exeX vs U57z89iyVo.exe
              Source: U57z89iyVo.exeVirustotal: Detection: 52%
              Source: U57z89iyVo.exeMetadefender: Detection: 25%
              Source: U57z89iyVo.exeReversingLabs: Detection: 77%
              Source: U57z89iyVo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\U57z89iyVo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\U57z89iyVo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@1/2@0/3
              Source: C:\Users\user\Desktop\U57z89iyVo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior

              Data Obfuscation:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\U57z89iyVo.exeUnpacked PE file: 0.2.U57z89iyVo.exe.400000.0.unpack
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\Desktop\U57z89iyVo.exeUnpacked PE file: 0.2.U57z89iyVo.exe.400000.0.unpack .text:ER;.rdata:R;.rdata2:W;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_007B5B50 push edx; ret 0_2_007B5CDE
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00777192 push dword ptr [ebp+ecx*8-49h]; retf 0_2_00777196
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_007962ED pushad ; iretd 0_2_00796305
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0078F6ED push esi; ret 0_2_0078F6F7
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_007789ED push 00000369h; ret 0_2_00778A48
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_007789BD push 00000369h; ret 0_2_00778A48
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_0079FB94 push esi; ret 0_2_0079FBAB
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00771D31 push FFFFFFD5h; ret 0_2_00771D38
              Source: C:\Users\user\Desktop\U57z89iyVo.exeCode function: 0_2_00770EAF push esi; ret 0_2_00770EB4
              Source: U57z89iyVo.exeStatic PE information: section name: .rdata2
              Source: C:\Users\user\Desktop\U57z89iyVo.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior