Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DrYFu0WLwMjz5fY.exe

Overview

General Information

Sample Name:DrYFu0WLwMjz5fY.exe
Analysis ID:635165
MD5:a95183abde70960bccc37b897ccd0699
SHA1:21765fad9cec8831ef6e7361076abd779f4bf68c
SHA256:981affe9133f68da268a562ad4c6f16464b7d00e4a596bae4516e984bfd04cff
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Detected unpacking (changes PE section rights)
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Adds / modifies Windows certificates
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • DrYFu0WLwMjz5fY.exe (PID: 2964 cmdline: "C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe" MD5: A95183ABDE70960BCCC37B897CCD0699)
    • DrYFu0WLwMjz5fY.exe (PID: 5144 cmdline: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe MD5: A95183ABDE70960BCCC37B897CCD0699)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "lewislog@samsung-tv.buzz", "Password": "7213575aceACE@#$", "Host": "samsung-tv.buzz"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.272725067.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000000.272725067.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000000.267918532.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000000.267918532.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.283159359.000000000462D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DrYFu0WLwMjz5fY.exe.4697fd0.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.DrYFu0WLwMjz5fY.exe.4697fd0.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.DrYFu0WLwMjz5fY.exe.4697fd0.8.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30d60:$s10: logins
                • 0x307c7:$s11: credential
                • 0x2cdb5:$g1: get_Clipboard
                • 0x2cdc3:$g2: get_Keyboard
                • 0x2cdd0:$g3: get_Password
                • 0x2e0ce:$g4: get_CtrlKeyDown
                • 0x2e0de:$g5: get_ShiftKeyDown
                • 0x2e0ef:$g6: get_AltKeyDown
                4.0.DrYFu0WLwMjz5fY.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.0.DrYFu0WLwMjz5fY.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 34 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.4697fd0.8.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "lewislog@samsung-tv.buzz", "Password": "7213575aceACE@#$", "Host": "samsung-tv.buzz"}
                    Multi AV Scanner detection for submitted file
                    Source: DrYFu0WLwMjz5fY.exeReversingLabs: Detection: 34%
                    Machine Learning detection for sample
                    Source: DrYFu0WLwMjz5fY.exeJoe Sandbox ML: detected
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.2.DrYFu0WLwMjz5fY.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: DrYFu0WLwMjz5fY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: DrYFu0WLwMjz5fY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4x nop then push dword ptr [ebp-20h]
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4x nop then push dword ptr [ebp-20h]
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                    Source: Joe Sandbox ViewASN Name: ITLASUA ITLASUA
                    Source: global trafficTCP traffic: 192.168.2.4:49758 -> 195.54.163.133:587
                    Source: global trafficTCP traffic: 192.168.2.4:49758 -> 195.54.163.133:587
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000002.506114167.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.505912640.00000000037AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cZojHh.com
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301345594.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313665694.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313768380.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.429330402.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.508073762.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.307999640.00000000074A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.429398254.0000000007272000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.506114167.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.505912640.00000000037AF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.507974553.0000000007274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000002.506114167.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.505912640.00000000037AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301220987.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301970914.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313896786.00000000074C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000002.506114167.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.505912640.00000000037AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.429366287.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301220987.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301970914.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313896786.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.508117984.00000000074C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301403875.000000000743C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301364748.000000000749E000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.302046074.00000000071B4000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.300868927.00000000071B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.302046074.00000000071B4000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.300868927.00000000071B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.302046074.00000000071B4000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.300868927.00000000071B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Q
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
                    Source: 77EC63BDA74BD0D0E0426DC8F8008506.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300703370.000000000721E000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301670441.000000000721E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.242415741.0000000007E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301364748.000000000749E000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301260375.00000000074B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301879715.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.302066897.000000000728B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.429398254.0000000007272000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.506114167.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.505912640.00000000037AF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.507974553.0000000007274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.429398254.0000000007272000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.506114167.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.505912640.00000000037AF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.507974553.0000000007274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000002.506114167.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.505912640.00000000037AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://samsung-tv.buzz
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301879715.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301879715.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301879715.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301879715.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.285800702.0000000007E70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000002.507763236.00000000071D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.248146714.0000000007EAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlE
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.247705436.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247429001.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247745863.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.247705436.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247745863.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.come
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.247705436.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247745863.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comr-tx
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301403875.000000000743C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.302046074.00000000071B4000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.300868927.00000000071B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.302046074.00000000071B4000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.300868927.00000000071B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.302066897.000000000728B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301879715.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301260375.00000000074B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301345594.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313665694.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313768380.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.429330402.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.508073762.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.307999640.00000000074A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301345594.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313665694.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313768380.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.429330402.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.508073762.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.307999640.00000000074A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301364748.000000000749E000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.300839908.00000000071DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.300839908.00000000071DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.eme.lv/repository0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301364748.000000000749E000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.249776689.0000000007E78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.276898324.0000000001080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comO
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.276898324.0000000001080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomoO
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.276898324.0000000001080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgritaj
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.246896530.0000000007E87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.246183077.0000000007E83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.246183077.0000000007E83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnres6
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301746900.000000000743A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301220987.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301970914.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313896786.00000000074C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.243286079.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.245633016.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.243418962.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.245705070.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.243491308.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.246908158.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.245302086.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.245125297.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.245856413.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.244505414.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.246198057.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.243571299.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.245187447.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.244766277.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.244276479.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.245470704.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.245959602.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.244303041.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.245166380.0000000007E8B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.246419392.0000000007E8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.243019647.0000000007E92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com2
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247759827.0000000007E85000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247705436.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247089609.0000000007E75000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247829014.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247808366.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247745863.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.247759827.0000000007E85000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247705436.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247745863.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comn-E
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.247705436.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comslnt
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.248919812.0000000007E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.dea
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247385713.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247429001.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.247385713.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247705436.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247429001.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnh
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.247385713.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247429001.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnlt
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000003.247385713.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247429001.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnr-tx
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.429398254.0000000007272000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.506114167.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.505912640.00000000037AF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.507974553.0000000007274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.429398254.0000000007272000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.506114167.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.505912640.00000000037AF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.507974553.0000000007274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://eca.hinet.net/repository0
                    Source: DrYFu0WLwMjz5fY.exeString found in binary or memory: https://github.com
                    Source: DrYFu0WLwMjz5fY.exeString found in binary or memory: https://github.com/dcoetzee/plants-vs-zombies-user-file-editor
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.506027421.00000000037D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gzfDu6ujAxiMfCL0s7YA.com
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300839908.00000000071DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.301345594.00000000074A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
                    Source: unknownDNS traffic detected: queries for: samsung-tv.buzz

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.4697fd0.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.44c0620.7.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.98d0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.4430a00.6.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.4697fd0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.98d0000.12.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 4.2.DrYFu0WLwMjz5fY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.46639b0.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.462d590.10.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.46639b0.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.44c0620.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.4430a00.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 00000000.00000002.286677931.00000000098D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: 4.2.DrYFu0WLwMjz5fY.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: DrYFu0WLwMjz5fY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.4697fd0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.44c0620.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.98d0000.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.4430a00.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.4697fd0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.98d0000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 4.2.DrYFu0WLwMjz5fY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.46639b0.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.462d590.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.46639b0.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.44c0620.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.DrYFu0WLwMjz5fY.exe.4430a00.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 00000000.00000002.286677931.00000000098D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF2180
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF0480
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF17C0
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF0F38
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF50E8
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF11F0
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF2170
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF1200
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF5320
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF0471
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF5560
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF5740
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF1C30
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF4D40
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF3ED0
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF3EE0
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF0EBD
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_04E97CC0
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_04E97CD0
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_04E95C64
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_0782D0BF
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_0782D0D0
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_01A7F080
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_01A7F3C8
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_01A76120
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065CAC1A
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065CA918
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065C4EB0
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065C3330
                    Source: DrYFu0WLwMjz5fY.exeBinary or memory string: OriginalFilename vs DrYFu0WLwMjz5fY.exe
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.283159359.000000000462D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFAsEvtdFaXvUVXTZUnGUBPtkYtzbk.exe4 vs DrYFu0WLwMjz5fY.exe
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000000.234422743.000000000065C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSHA.exe" vs DrYFu0WLwMjz5fY.exe
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.277205547.0000000002A0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCerbera.dll" vs DrYFu0WLwMjz5fY.exe
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.280654156.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFAsEvtdFaXvUVXTZUnGUBPtkYtzbk.exe4 vs DrYFu0WLwMjz5fY.exe
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.281242081.0000000004205000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs DrYFu0WLwMjz5fY.exe
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.286677931.00000000098D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs DrYFu0WLwMjz5fY.exe
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000000.272725067.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFAsEvtdFaXvUVXTZUnGUBPtkYtzbk.exe4 vs DrYFu0WLwMjz5fY.exe
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000002.502928164.00000000014F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DrYFu0WLwMjz5fY.exe
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000000.264712833.00000000010BC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSHA.exe" vs DrYFu0WLwMjz5fY.exe
                    Source: DrYFu0WLwMjz5fY.exeBinary or memory string: OriginalFilenameSHA.exe" vs DrYFu0WLwMjz5fY.exe
                    Source: DrYFu0WLwMjz5fY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: DrYFu0WLwMjz5fY.exeReversingLabs: Detection: 34%
                    Source: DrYFu0WLwMjz5fY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe "C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe"
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess created: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess created: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DrYFu0WLwMjz5fY.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@2/1
                    Source: DrYFu0WLwMjz5fY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.DrYFu0WLwMjz5fY.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: DrYFu0WLwMjz5fY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: DrYFu0WLwMjz5fY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeUnpacked PE file: 0.2.DrYFu0WLwMjz5fY.exe.580000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00583E21 push ebp; retf
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_0058578A pushad ; iretd
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF7870 push esi; retf
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF6AB2 push ebp; retf
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF6AA8 push ebp; retf
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 0_2_00DF6EA3 push FFFFFFBAh; ret
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_00FE2DFA push eax; retf
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_00FE20F4 pushad ; iretd
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_00FE2DC5 push 00000062h; ret
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_00FE578A pushad ; iretd
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_00FE2454 push eax; ret
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_00FE3E21 push ebp; retf
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_00FE2D10 push ecx; ret
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065C3330 push es; iretd
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065CFBA9 push es; ret
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065C18F6 push es; ret
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065C18BD push es; ret
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065C18AA push es; ret
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065C2177 push edi; retn 0000h
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065C1909 push es; ret
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065C2520 push edi; ret
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065C41DA push es; iretd
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeCode function: 4_2_065C41D2 push es; iretd
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.6975939931
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000000.00000002.280654156.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DrYFu0WLwMjz5fY.exe PID: 2964, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.280654156.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.280654156.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe TID: 5740Thread sleep time: -43731s >= -30000s
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe TID: 1568Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe TID: 3248Thread sleep time: -22136092888451448s >= -30000s
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe TID: 784Thread sleep count: 5415 > 30
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe TID: 784Thread sleep count: 3041 > 30
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe TID: 1640Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeWindow / User API: threadDelayed 5415
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeWindow / User API: threadDelayed 3041
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeThread delayed: delay time: 43731
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeThread delayed: delay time: 922337203685477
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.280654156.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.280654156.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: DrYFu0WLwMjz5fY.exe, 00000004.00000003.300323712.0000000007279000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.310816941.000000000728B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.298831350.000000000728B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.300081868.000000000728C000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.302066897.000000000728B000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.429414898.000000000727E000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.429398254.0000000007272000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.508002992.000000000727F000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.298894403.0000000007278000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.300311522.000000000728C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.280654156.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: DrYFu0WLwMjz5fY.exe, 00000000.00000002.280654156.0000000002D9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeMemory written: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeProcess created: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.DrYFu0WLwMjz5fY.exe.4697fd0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DrYFu0WLwMjz5fY.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DrYFu0WLwMjz5fY.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DrYFu0WLwMjz5fY.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DrYFu0WLwMjz5fY.exe.4697fd0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DrYFu0WLwMjz5fY.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.DrYFu0WLwMjz5fY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DrYFu0WLwMjz5fY.exe.46639b0.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DrYFu0WLwMjz5fY.exe.462d590.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DrYFu0WLwMjz5fY.exe.46639b0.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DrYFu0WLwMjz5fY.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.272725067.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.267918532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.283159359.000000000462D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.271853258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.273383724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.501605400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DrYFu0WLwMjz5fY.exe PID: 2964, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DrYFu0WLwMjz5fY.exe PID: 5144, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: Yara matchFile source: 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DrYFu0WLwMjz5fY.exe PID: 5144, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.DrYFu0WLwMjz5fY.exe.4697fd0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DrYFu0WLwMjz5fY.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DrYFu0WLwMjz5fY.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DrYFu0WLwMjz5fY.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DrYFu0WLwMjz5fY.exe.4697fd0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DrYFu0WLwMjz5fY.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.DrYFu0WLwMjz5fY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DrYFu0WLwMjz5fY.exe.46639b0.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DrYFu0WLwMjz5fY.exe.462d590.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DrYFu0WLwMjz5fY.exe.46639b0.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DrYFu0WLwMjz5fY.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.272725067.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.267918532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.283159359.000000000462D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.271853258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.273383724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.501605400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DrYFu0WLwMjz5fY.exe PID: 2964, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DrYFu0WLwMjz5fY.exe PID: 5144, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception111
                    Process Injection                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		114
                    System Information Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Deobfuscate/Decode Files or Information                    		11
                    Input Capture                    		1
                    Query Registry                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)13
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model11
                    Input Capture                    		Scheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets131
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Modify Registry                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Remote System Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DrYFu0WLwMjz5fY.exe34%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    DrYFu0WLwMjz5fY.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    4.0.DrYFu0WLwMjz5fY.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.DrYFu0WLwMjz5fY.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.DrYFu0WLwMjz5fY.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    0.2.DrYFu0WLwMjz5fY.exe.580000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    4.0.DrYFu0WLwMjz5fY.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    4.2.DrYFu0WLwMjz5fY.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.DrYFu0WLwMjz5fY.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    samsung-tv.buzz2%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                    http://ocsp.suscerte.gob.ve00%URL Reputationsafe
                    http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
                    http://www.chambersign.org10%URL Reputationsafe
                    http://www.zhongyicts.com.cnr-tx0%Avira URL Cloudsafe
                    http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%URL Reputationsafe
                    http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                    http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                    http://www.suscerte.gob.ve/dpc00%URL Reputationsafe
                    http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    http://policy.camerfirma.com00%URL Reputationsafe
                    http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?0%URL Reputationsafe
                    http://www.carterandcone.come0%URL Reputationsafe
                    http://cps.letsencrypt.org00%URL Reputationsafe
                    http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                    http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G0%URL Reputationsafe
                    https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
                    http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf00%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.globaltrust.info00%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://ac.economia.gob.mx/last.crl0G0%URL Reputationsafe
                    http://crl.oces.trust2408.com/oces.crl00%URL Reputationsafe
                    http://certs.oaticerts.com/repository/OATICA2.crl0%URL Reputationsafe
                    http://certs.oati.net/repository/OATICA2.crt00%URL Reputationsafe
                    http://www.accv.es000%URL Reputationsafe
                    http://web.ncdc.gov.sa/crl/nrcaparta1.crl0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.acabogacia.org00%URL Reputationsafe
                    https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                    http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
                    http://www.agesic.gub.uy/acrn/acrn.crl0)0%URL Reputationsafe
                    http://www.rcsc.lt/repository00%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.fontbureau.comgritaj0%Avira URL Cloudsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.carterandcone.comr-tx0%Avira URL Cloudsafe
                    http://certs.oaticerts.com/repository/OATICA2.crt080%URL Reputationsafe
                    http://cps.chambersign.org/cps/chambersignroot.html00%URL Reputationsafe
                    http://www.oaticerts.com/repository.0%URL Reputationsafe
                    http://www.ancert.com/cps00%URL Reputationsafe
                    http://ocsp.accv.es00%URL Reputationsafe
                    http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl00%URL Reputationsafe
                    http://www.echoworx.com/ca/root2/cps.pdf00%URL Reputationsafe
                    http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz030%URL Reputationsafe
                    http://samsung-tv.buzz0%Avira URL Cloudsafe
                    http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl00%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://crl.defence.gov.au/pki00%URL Reputationsafe
                    http://www.agesic.gub.uy/acrn/cps_acrn.pdf00%URL Reputationsafe
                    http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl00%URL Reputationsafe
                    https://www.catcert.net/verarrel050%URL Reputationsafe
                    http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c00%URL Reputationsafe
                    http://www.comsign.co.il/cps00%URL Reputationsafe
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.e-me.lv/repository00%URL Reputationsafe
                    http://www.acabogacia.org/doc00%URL Reputationsafe
                    http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                    http://www.postsignum.cz/crl/psrootqca2.crl020%URL Reputationsafe
                    http://www.ascendercorp.com/typedesigners.htmlE0%Avira URL Cloudsafe
                    http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                    http://www.suscerte.gob.ve/lcr0#0%URL Reputationsafe
                    http://postsignum.ttc.cz/crl/psrootqca2.crl00%URL Reputationsafe
                    http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                    http://crl1.comsign.co.il/crl/comsignglobalrootca.crl00%URL Reputationsafe
                    http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    samsung-tv.buzz
                    		195.54.163.133
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.certplus.com/CRL/class3.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://github.com/dcoetzee/plants-vs-zombies-user-file-editorDrYFu0WLwMjz5fY.exefalse
                      		high
                      http://ocsp.suscerte.gob.ve0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.dhimyotis.com/certignarootca.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.chambersign.org1DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnr-txDrYFu0WLwMjz5fY.exe, 00000000.00000003.247385713.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247429001.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://repository.swisssign.com/0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersDrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://crl.ssc.lt/root-c/cacrl.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ca.disig.sk/ca/crl/ca_disig.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301345594.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313665694.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313768380.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.429330402.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.508073762.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.307999640.00000000074A5000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.suscerte.gob.ve/dpc0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.disig.sk/ca/crl/ca_disig.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301345594.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313665694.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313768380.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.429330402.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.508073762.00000000074A5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.307999640.00000000074A5000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseDrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnDrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247385713.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247429001.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.ipify.org%DrYFu0WLwMjz5fY.exe, 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		low
                            http://pki.registradores.org/normativa/index.htm0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://policy.camerfirma.com0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.anf.es/es/address-direccion.htmlDrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.anf.es/address/)1(0&DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comeDrYFu0WLwMjz5fY.exe, 00000000.00000003.247705436.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247745863.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://cps.letsencrypt.org0DrYFu0WLwMjz5fY.exe, 00000004.00000003.429398254.0000000007272000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.506114167.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.505912640.00000000037AF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.507974553.0000000007274000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.ssc.lt/root-b/cacrl.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.certicamara.com/dpc/0ZDrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0GDrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://crl.pki.wellsfargo.com/wsprca.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://wwww.certigna.fr/autorites/0mDrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwDrYFu0WLwMjz5fY.exe, 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.anf.es/AC/ANFServerCA.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.globaltrust.info0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlDrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://ac.economia.gob.mx/last.crl0GDrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301879715.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.oces.trust2408.com/oces.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://eca.hinet.net/repository0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://certs.oaticerts.com/repository/OATICA2.crlDrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://certs.oati.net/repository/OATICA2.crt0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.accv.es00DrYFu0WLwMjz5fY.exe, 00000004.00000003.301879715.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://web.ncdc.gov.sa/crl/nrcaparta1.crlDrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.datev.de/zertifikat-policy-int0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301879715.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301260375.00000000074B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn/bTheDrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.acabogacia.org0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.firmaprofesional.com/cps0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301364748.000000000749E000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.ipify.org%%startupfolder%DrYFu0WLwMjz5fY.exe, 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		low
                                                  http://crl.securetrust.com/SGCA.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.429366287.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301220987.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301970914.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313896786.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.508117984.00000000074C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.agesic.gub.uy/acrn/acrn.crl0)DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.rcsc.lt/repository0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.typography.netDDrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://fontfabrik.comDrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comgritajDrYFu0WLwMjz5fY.exe, 00000000.00000002.276898324.0000000001080000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://web.certicamara.com/marco-legal0ZDrYFu0WLwMjz5fY.exe, 00000004.00000003.301070933.00000000074D5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.quovadisglobal.com/cps0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://x1.c.lencr.org/0DrYFu0WLwMjz5fY.exe, 00000004.00000003.429398254.0000000007272000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.506114167.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.505912640.00000000037AF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.507974553.0000000007274000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://x1.i.lencr.org/0DrYFu0WLwMjz5fY.exe, 00000004.00000003.429398254.0000000007272000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.506114167.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.505912640.00000000037AF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.507974553.0000000007274000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://DynDns.comDynDNSnamejidpasswordPsi/PsiDrYFu0WLwMjz5fY.exe, 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fonts.comDrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.sandoll.co.krDrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.carterandcone.comr-txDrYFu0WLwMjz5fY.exe, 00000000.00000003.247705436.0000000007E7A000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000000.00000003.247745863.0000000007E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://certs.oaticerts.com/repository/OATICA2.crt08DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://cps.chambersign.org/cps/chambersignroot.html0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.anf.es/AC/RC/ocsp0cDrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.oaticerts.com/repository.DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.ancert.com/cps0DrYFu0WLwMjz5fY.exe, 00000004.00000002.507763236.00000000071D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://ocsp.accv.es0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301879715.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.echoworx.com/ca/root2/cps.pdf0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://rca.e-szigno.hu/ocsp0-DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://samsung-tv.buzzDrYFu0WLwMjz5fY.exe, 00000004.00000002.506114167.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000002.505912640.00000000037AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://eca.hinet.net/repository/CRL2/CA.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.datev.de/zertifikat-policy-std0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlNDrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cnDrYFu0WLwMjz5fY.exe, 00000000.00000002.286257632.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.defence.gov.au/pki0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.agesic.gub.uy/acrn/cps_acrn.pdf0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://www.catcert.net/verarrel05DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301260375.00000000074B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.pki.gva.es/cps0%DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.cert.fnmt.es/dpcs/0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301403875.000000000743C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.datev.de/zertifikat-policy-bt0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.comsign.co.il/cps0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://127.0.0.1:HTTP/1.1DrYFu0WLwMjz5fY.exe, 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		low
                                                                          http://www.e-me.lv/repository0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.300839908.00000000071DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.acabogacia.org/doc0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://crl.chambersign.org/chambersroot.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301027805.00000000074CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.postsignum.cz/crl/psrootqca2.crl02DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.ascendercorp.com/typedesigners.htmlEDrYFu0WLwMjz5fY.exe, 00000000.00000003.248146714.0000000007EAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.pkioverheid.nl/policies/root-policy0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301220987.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301970914.00000000074C5000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301126397.00000000074C2000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.313896786.00000000074C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.suscerte.gob.ve/lcr0#DrYFu0WLwMjz5fY.exe, 00000004.00000003.300994237.00000000074DF000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301093390.00000000074EC000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301730088.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://postsignum.ttc.cz/crl/psrootqca2.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301236509.00000000074A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlDrYFu0WLwMjz5fY.exe, 00000004.00000003.301166023.00000000074BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.301364748.000000000749E000.00000004.00000800.00020000.00000000.sdmp, DrYFu0WLwMjz5fY.exe, 00000004.00000003.301278276.0000000007435000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.certplus.com/CRL/class3P.crl0DrYFu0WLwMjz5fY.exe, 00000004.00000003.300807255.00000000071CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          195.54.163.133
                                                                          		samsung-tv.buzzUkraine
                                                                          		15626ITLASUAtrue

                                                                          General Information

                                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                                          Analysis ID:635165
                                                                          Start date and time: 27/05/202216:11:082022-05-27 16:11:08 +02:00
                                                                          Joe Sandbox Product:CloudBasic
                                                                          Overall analysis duration:0h 8m 32s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:light
                                                                          Sample file name:DrYFu0WLwMjz5fY.exe
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                          Number of analysed new started processes analysed:25
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • HDC enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.spyw.evad.winEXE@3/4@2/1
                                                                          EGA Information:
                                                                          • Successful, ratio: 100%
                                                                          HDC Information:
                                                                          • Successful, ratio: 1.4% (good quality ratio 0.8%)
                                                                          • Quality average: 32.1%
                                                                          • Quality standard deviation: 33.6%
                                                                          HCA Information:
                                                                          • Successful, ratio: 98%
                                                                          • Number of executed functions: 0
                                                                          • Number of non-executed functions: 0
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .exe
                                                                          • Adjust boot time
                                                                          • Enable AMSI

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                          • TCP Packets have been reduced to 100
                                                                          • Excluded IPs from analysis (whitelisted): 173.222.108.226, 173.222.108.210
                                                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, a767.dspw65.akamai.net, arc.msn.com, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          16:12:20API Interceptor682x Sleep call for process: DrYFu0WLwMjz5fY.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          No context

                                                                          Domains

                                                                          No context

                                                                          ASNs

                                                                          No context

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe
                                                                          File Type:Microsoft Cabinet archive data, 61476 bytes, 1 file
                                                                          Category:dropped
                                                                          Size (bytes):61476
                                                                          Entropy (8bit):7.995018321729444
                                                                          Encrypted:true
                                                                          SSDEEP:1536:NATLwfiuePkACih0/8uIwf5CiqGLhk1V/AFnGegJR:N7nePk5gKsoBha/0GTf
                                                                          MD5:308336E7F515478969B24C13DED11EDE
                                                                          SHA1:8FB0CF42B77DBBEF224A1E5FC38ABC2486320775
                                                                          SHA-256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
                                                                          SHA-512:61AD97228CD6C3909EF3AC5E4940199971F293BDD0D5EB7916E60469573A44B6287C0FA1E0B6C1389DF35EB6C9A7D2A61FDB318D4A886A3821EF5A9DAB3AC24F
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:MSCF....$.......,...................I........w.........Tp. .authroot.stl.H#F..4..CK..<Tk...c_.d....A.F...,.&K..*i.RJJ..J.".%.KY"{n...."{..Lu3.Ln........y...........M.:...<. v...H..~.#Ov.a0xN....)..C..t.z.,x.00.1``L......L.\..1.|..2.1.0mD...H1/......G..UT7!...r.X:....D.0.0...M....I(.-.+..v#...(.r.....z.Y`&hw..Gl+.je.e.j..{.1......9f=.&.........s.W...L.].+...).f...u.....8....}R...w.X..>.A.Yw...a.x...T8V.e...^.7.q..t^.+....f.q).B.M......64.<!W(........D!.0.t "X...l.....D0.......+...A......0.o..t93.v..O1V x}H.S)....GH.6.l...p2.(4k.....!,.L`......h:.a]?......J9.\..Ww........%......a4E...q.*...#..a..y..M..R.t..Z2!.T.Ua.k.'O..\./ d.F>.V...3...._.J....."....wI..'..z...j..Ds...qZ...[..........O<.d.K..hH@c1....[w7..z...l....h,.b.........'.w.......bO.i{.......+.-...H..."<...L.Tu}.Y.lB.]3..4..G.3..`E..NF......{o.h]}p....G..$..4....;..&.O.d....v:Ik.T..ObLq..&.j.j...B9.(..!..\.:K`.....:O..N.....C..jD:.i.......1.....eCo.c..3o.........nN.D..3.7...

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):328
                                                                          Entropy (8bit):3.0941585927255777
                                                                          Encrypted:false
                                                                          SSDEEP:6:kK4HBmN+SkQlPlEGYRMY9z+4KlDA3RUecl7PG1:0TkPlE99SNxAhUecl61
                                                                          MD5:497C37EFC97B14D36794F4568369F626
                                                                          SHA1:51459B7E1D4DD17D37D0BEDDC04E7306CCC5F72B
                                                                          SHA-256:A5A97C249259FBD19FF818CBB716465A9BAFB470CA7F61EAA80A018D99B9372F
                                                                          SHA-512:17EA6D7E12C12991B363F72A34B419C4A427BAD77C25F4C25E4B888DBFA9492D0FE06C9B3CE5A1439143C63E76D2DD8A51243C5E95D6DA12D61BBBF2F930256F
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:p...... ......../....q..(....................................................... ........3f..o......&...........$...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.3.3.6.6.b.4.9.0.6.f.d.8.1.:.0."...

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DrYFu0WLwMjz5fY.exe.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1308
                                                                          Entropy (8bit):5.345811588615766
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                                          MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                                          SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                                          SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                                          SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                                          Malicious:true
                                                                          Reputation:high, very likely benign file
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                          C:\Users\user\AppData\Roaming\enexldkj.qah\Chrome\Default\Cookies

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                          Category:modified
                                                                          Size (bytes):20480
                                                                          Entropy (8bit):0.7006690334145785
                                                                          Encrypted:false
                                                                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                                          MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                                          SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                                          SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                                          SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.681430646387277
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          File name:DrYFu0WLwMjz5fY.exe
                                                                          File size:909312
                                                                          MD5:a95183abde70960bccc37b897ccd0699
                                                                          SHA1:21765fad9cec8831ef6e7361076abd779f4bf68c
                                                                          SHA256:981affe9133f68da268a562ad4c6f16464b7d00e4a596bae4516e984bfd04cff
                                                                          SHA512:f1a9f64a11742877036d13a9f2239d720b44de53b7cab596f1879574f4d43c703deb50695b1ee45bc82d4c6c2cdc9feea03cc0a6ef0dd6fffb329bca108bcd4f
                                                                          SSDEEP:24576:732dT2XreSkbHo2xS6OVby2+eIjErm4KUGhwGG:DbuxObtI4rShwGG
                                                                          TLSH:6315BFBC31907DDFC817CE7985985C649A202CA6470BE203A01B3DDDAA7DF968F156E3
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%.b..............0......L........... ........@.. .......................@............@................................

                                                                          File Icon

                                                                          Icon Hash:31b1393969391b39

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x4db02e
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                          Time Stamp:0x6290259C [Fri May 27 01:13:00 2022 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v4.0.30319
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xdafd80x53.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xdc0000x4860.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000xd90340xd9200False0.835496725676data7.6975939931IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0xdc0000x48600x4a00False0.662056587838data6.42119337389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0xe20000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_ICON0xdc1600x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294268550, next used block 4294202757
                                                                          RT_GROUP_ICON0xe03880x14data
                                                                          RT_GROUP_ICON0xe039c0x14data
                                                                          RT_VERSION0xe03b00x2c4data
                                                                          RT_MANIFEST0xe06740x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyright
                                                                          Assembly Version1.0.0.0
                                                                          InternalNameSHA.exe
                                                                          FileVersion1.0.0.0
                                                                          CompanyName
                                                                          LegalTrademarks
                                                                          Comments
                                                                          ProductName
                                                                          ProductVersion1.0.0.0
                                                                          FileDescription
                                                                          OriginalFilenameSHA.exe

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 27, 2022 16:12:39.271641016 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:39.326838017 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:39.327167988 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:39.489639044 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:39.490025997 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:39.545362949 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:39.547352076 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:39.604124069 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:39.654772043 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:39.715156078 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:39.715207100 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:39.715241909 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:39.715267897 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:39.715348959 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:39.715400934 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:39.716634035 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:39.743633032 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:39.799196959 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:39.993288994 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:43.145391941 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:43.200733900 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:43.202548981 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:43.258194923 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:43.258897066 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:43.315084934 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:43.316406965 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:43.371669054 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:43.372342110 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:43.467113018 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:43.471972942 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:43.473081112 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:43.528278112 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:43.528327942 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:43.529453993 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:43.529511929 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:43.530061007 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:43.530122995 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:43.584635973 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:43.584683895 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:43.584815979 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:43.584841967 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:43.587070942 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:43.681020021 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:47.460766077 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:47.555217981 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:47.803215027 CEST58749758195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:47.803838968 CEST49758587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:47.870364904 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:47.925909042 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:47.926224947 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:48.019937038 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.020385027 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:48.076255083 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.080271959 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:48.139369965 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.140382051 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:48.205936909 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.206037998 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.206079960 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.206111908 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.206182003 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:48.206254959 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:48.210211992 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.212935925 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:48.268774033 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.493921995 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:48.527714968 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.528364897 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:48.703119993 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:48.758764982 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.759193897 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:48.815078974 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.815649033 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:48.872153044 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.872580051 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:48.928091049 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:48.928575039 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:49.020035028 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:49.020384073 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:49.075999975 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:49.077652931 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:49.077888012 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:49.077908993 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:49.077979088 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:49.078180075 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:49.078322887 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:49.078340054 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:49.078419924 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:12:49.133163929 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:49.133209944 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:49.133236885 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:49.133261919 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:49.133398056 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:49.133425951 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:49.133552074 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:49.133579969 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:49.133605003 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:49.137506008 CEST58749765195.54.163.133192.168.2.4
                                                                          May 27, 2022 16:12:49.181477070 CEST49765587192.168.2.4195.54.163.133
                                                                          May 27, 2022 16:14:19.142858028 CEST49765587192.168.2.4195.54.163.133

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 27, 2022 16:12:39.221312046 CEST6445453192.168.2.48.8.8.8
                                                                          May 27, 2022 16:12:39.254265070 CEST53644548.8.8.8192.168.2.4
                                                                          May 27, 2022 16:12:47.831768036 CEST6064753192.168.2.48.8.8.8
                                                                          May 27, 2022 16:12:47.866461039 CEST53606478.8.8.8192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          May 27, 2022 16:12:39.221312046 CEST192.168.2.48.8.8.80x571dStandard query (0)samsung-tv.buzzA (IP address)IN (0x0001)
                                                                          May 27, 2022 16:12:47.831768036 CEST192.168.2.48.8.8.80x7e16Standard query (0)samsung-tv.buzzA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          May 27, 2022 16:12:39.254265070 CEST8.8.8.8192.168.2.40x571dNo error (0)samsung-tv.buzz195.54.163.133A (IP address)IN (0x0001)
                                                                          May 27, 2022 16:12:47.866461039 CEST8.8.8.8192.168.2.40x7e16No error (0)samsung-tv.buzz195.54.163.133A (IP address)IN (0x0001)

                                                                          SMTP Packets

                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                          May 27, 2022 16:12:39.489639044 CEST58749758195.54.163.133192.168.2.4220-cp5ua.hyperhost.ua ESMTP Exim 4.95 #2 Fri, 27 May 2022 17:12:38 +0300
                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                          220 and/or bulk e-mail.
                                                                          May 27, 2022 16:12:39.490025997 CEST49758587192.168.2.4195.54.163.133EHLO 377142
                                                                          May 27, 2022 16:12:39.545362949 CEST58749758195.54.163.133192.168.2.4250-cp5ua.hyperhost.ua Hello 377142 [102.129.143.42]
                                                                          250-SIZE 52428800
                                                                          250-8BITMIME
                                                                          250-PIPELINING
                                                                          250-PIPE_CONNECT
                                                                          250-STARTTLS
                                                                          250 HELP
                                                                          May 27, 2022 16:12:39.547352076 CEST49758587192.168.2.4195.54.163.133STARTTLS
                                                                          May 27, 2022 16:12:39.604124069 CEST58749758195.54.163.133192.168.2.4220 TLS go ahead
                                                                          May 27, 2022 16:12:48.019937038 CEST58749765195.54.163.133192.168.2.4220-cp5ua.hyperhost.ua ESMTP Exim 4.95 #2 Fri, 27 May 2022 17:12:47 +0300
                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                          220 and/or bulk e-mail.
                                                                          May 27, 2022 16:12:48.020385027 CEST49765587192.168.2.4195.54.163.133EHLO 377142
                                                                          May 27, 2022 16:12:48.076255083 CEST58749765195.54.163.133192.168.2.4250-cp5ua.hyperhost.ua Hello 377142 [102.129.143.42]
                                                                          250-SIZE 52428800
                                                                          250-8BITMIME
                                                                          250-PIPELINING
                                                                          250-PIPE_CONNECT
                                                                          250-STARTTLS
                                                                          250 HELP
                                                                          May 27, 2022 16:12:48.080271959 CEST49765587192.168.2.4195.54.163.133STARTTLS
                                                                          May 27, 2022 16:12:48.139369965 CEST58749765195.54.163.133192.168.2.4220 TLS go ahead

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:16:12:09
                                                                          Start date:27/05/2022
                                                                          Path:C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe"
                                                                          Imagebase:0x580000
                                                                          File size:909312 bytes
                                                                          MD5 hash:A95183ABDE70960BCCC37B897CCD0699
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.283159359.000000000462D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.283159359.000000000462D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.280654156.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.286677931.00000000098D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                          Reputation:low

                                                                          General

                                                                          Target ID:4
                                                                          Start time:16:12:22
                                                                          Start date:27/05/2022
                                                                          Path:C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\DrYFu0WLwMjz5fY.exe
                                                                          Imagebase:0xfe0000
                                                                          File size:909312 bytes
                                                                          MD5 hash:A95183ABDE70960BCCC37B897CCD0699
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.272725067.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.272725067.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.267918532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.267918532.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.271853258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.271853258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.273383724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.273383724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.501605400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.501605400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.505156473.0000000003451000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Disassembly

                                                                          No disassembly