Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6R24hlXGVS56Z6Y.exe

Overview

General Information

Sample Name:6R24hlXGVS56Z6Y.exe
Analysis ID:635212
MD5:a9819b4b8ca61d132faa30c59482c10f
SHA1:226725a9f34ade061c288e6a6faddd944fec8868
SHA256:86a8ba97bde5b049538c73c0e8fc0484a0883422944eb5b988eec2233d004837
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Adds / modifies Windows certificates
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 6R24hlXGVS56Z6Y.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe" MD5: A9819B4B8CA61D132FAA30C59482C10F)
    • 6R24hlXGVS56Z6Y.exe (PID: 6520 cmdline: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe MD5: A9819B4B8CA61D132FAA30C59482C10F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "lewislog@samsung-tv.buzz", "Password": "7213575aceACE@#$", "Host": "samsung-tv.buzz"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.420611463.0000000003784000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30d60:$s10: logins
                • 0x307c7:$s11: credential
                • 0x2cdb5:$g1: get_Clipboard
                • 0x2cdc3:$g2: get_Keyboard
                • 0x2cdd0:$g3: get_Password
                • 0x2e0ce:$g4: get_CtrlKeyDown
                • 0x2e0de:$g5: get_ShiftKeyDown
                • 0x2e0ef:$g6: get_AltKeyDown
                4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 39 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "lewislog@samsung-tv.buzz", "Password": "7213575aceACE@#$", "Host": "samsung-tv.buzz"}
                    Multi AV Scanner detection for submitted file
                    Source: 6R24hlXGVS56Z6Y.exeVirustotal: Detection: 36%Perma Link
                    Source: 6R24hlXGVS56Z6Y.exeReversingLabs: Detection: 61%
                    Antivirus / Scanner detection for submitted sample
                    Source: 6R24hlXGVS56Z6Y.exeAvira: detected
                    Machine Learning detection for sample
                    Source: 6R24hlXGVS56Z6Y.exeJoe Sandbox ML: detected
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.2.6R24hlXGVS56Z6Y.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Joe Sandbox ViewASN Name: ITLASUA ITLASUA
                    Source: global trafficTCP traffic: 192.168.2.6:49774 -> 195.54.163.133:587
                    Source: global trafficTCP traffic: 192.168.2.6:49774 -> 195.54.163.133:587
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466720672.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465548130.0000000006BC3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643882853.0000000006BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466720672.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465548130.0000000006BC3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643882853.0000000006BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643992330.0000000006BE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cZojHh.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.642919631.0000000006788000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454797413.00000000067A5000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455786336.00000000067A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454913928.0000000006BFE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454913928.0000000006BFE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465916495.00000000067B7000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.642983870.00000000067B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643992330.0000000006BE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454786394.00000000067A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454786394.00000000067A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454538794.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455625077.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.460720359.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466089722.00000000067F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643992330.0000000006BE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.461073416.0000000006B2E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455241825.0000000006B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454538794.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455625077.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.460720359.00000000067F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454538794.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455625077.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.460720359.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466089722.00000000067F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454776252.0000000006C05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454958046.000000000678D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454958046.000000000678D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/M
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
                    Source: 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.453060607.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.453811656.0000000006803000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5aab6a943ff34
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.381171899.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.381096955.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.381231216.00000000063CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w$
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455661936.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454554430.0000000006803000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380606284.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380758503.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380677591.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380652171.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380606284.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380561800.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380758503.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380677591.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380652171.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.comh
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455176856.0000000006BCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455241825.0000000006B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455176856.0000000006BCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465916495.00000000067B7000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.642983870.00000000067B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465916495.00000000067B7000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.642983870.00000000067B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://samsung-tv.buzz
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384911065.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384824409.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387511186.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387434200.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmly
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385675011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385736791.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com$
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coma
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385675011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385736791.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comof
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385675011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385736791.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comrk
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comsk
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.461073416.0000000006B2E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455241825.0000000006B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455661936.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454554430.0000000006803000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455661936.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454554430.0000000006803000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454767047.0000000006C09000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.642919631.0000000006788000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454797413.00000000067A5000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455786336.00000000067A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454797413.00000000067A5000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455786336.00000000067A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455322515.0000000006BC8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.eme.lv/repository0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424158383.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389245349.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395139333.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389409524.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389458621.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389085024.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.417562402.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389700798.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389032106.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389282998.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389145404.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395010669.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395430812.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389756587.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.394716738.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389339625.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389282998.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389339625.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389669965.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389700798.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389756587.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389842823.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comB
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424158383.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395139333.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.417562402.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395010669.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395430812.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.394716738.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389669965.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389700798.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389756587.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389842823.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsF
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389339625.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomm
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389409524.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389458621.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389085024.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389145404.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389339625.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389245349.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389409524.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389458621.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389085024.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389032106.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389282998.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389145404.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389339625.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389573902.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdyo$
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389245349.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389409524.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389458621.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389085024.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389032106.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389282998.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389145404.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389339625.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388718051.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comk
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389700798.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389756587.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlicF
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389245349.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389085024.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388955744.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388830994.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388767394.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389032106.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389282998.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389145404.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388718051.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsief
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390359522.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390426618.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389842823.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390578615.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390486046.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsivo$
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424158383.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395139333.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.417562402.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395010669.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395430812.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.394716738.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueta
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383604980.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384160713.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384516970.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383883042.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383883042.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384160713.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/5
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382983490.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382905321.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/Y
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383405212.00000000063BE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383502102.00000000063C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnht
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383883042.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cno
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.391097323.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.391097323.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.391191719.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/:
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.391191719.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.krY
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.krom
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454825636.0000000006C02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/$
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387557703.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387671462.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387511186.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387603719.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387434200.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386261996.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386199122.00000000063BC000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386167015.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/B
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386261996.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386199122.00000000063BC000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386167015.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/K
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/bN
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387557703.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387671462.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387511186.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387603719.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387434200.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/$
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/P
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386261996.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ue
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/va
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vno
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/wa
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455322515.0000000006BC8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455176856.0000000006BCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455176856.0000000006BCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454538794.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455625077.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.460720359.00000000067F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455176856.0000000006BCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.379424036.00000000063A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387511186.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387434200.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382983490.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382905321.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.c
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382905321.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382675016.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krn-uK
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kron
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382675016.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krs-c
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454776252.0000000006C05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454776252.0000000006C05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454776252.0000000006C05000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384516970.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385675011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com4
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384594453.000000000190C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com7R
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384594453.000000000190C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comY
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comb
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comic
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comnt
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454776252.0000000006C05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388329849.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388329849.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de?
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388718051.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388510361.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388550067.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388767394.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388329849.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388606181.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.dew
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385016258.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385016258.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cndnlB
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385016258.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cni
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385016258.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnof
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385016258.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnoup
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455176856.0000000006BCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466057935.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643187937.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466057935.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643187937.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640941183.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://EEMzZM29crUf0q.org
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://eca.hinet.net/repository0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454786394.00000000067A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
                    Source: unknownDNS traffic detected: queries for: samsung-tv.buzz

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeJump to behavior
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.418468821.0000000001708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.7e20000.12.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.7e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.47468c0.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.47468c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.458aa98.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.2.6R24hlXGVS56Z6Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 00000000.00000002.425573285.0000000007E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.7e20000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.7e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.47468c0.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.47468c0.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.458aa98.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.2.6R24hlXGVS56Z6Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 00000000.00000002.425573285.0000000007E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 0_2_018F6A080_2_018F6A08
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 0_2_018F6D9E0_2_018F6D9E
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 0_2_018F7DF00_2_018F7DF0
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 0_2_018F81020_2_018F8102
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 4_2_04E0F0804_2_04E0F080
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 4_2_04E0F3C84_2_04E0F3C8
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 4_2_05B1C9204_2_05B1C920
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 4_2_05B1BBD04_2_05B1BBD0
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 4_2_05B19C094_2_05B19C09
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFAsEvtdFaXvUVXTZUnGUBPtkYtzbk.exe4 vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.418171038.0000000001052000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInternalRemotingServi.exe< vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFAsEvtdFaXvUVXTZUnGUBPtkYtzbk.exe4 vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.422039966.000000000464E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.425573285.0000000007E20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.418468821.0000000001708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424323014.0000000006570000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCerbera.dll" vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639219509.00000000006A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInternalRemotingServi.exe< vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFAsEvtdFaXvUVXTZUnGUBPtkYtzbk.exe4 vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639361959.0000000000AF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exeBinary or memory string: OriginalFilenameInternalRemotingServi.exe< vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: 6R24hlXGVS56Z6Y.exeVirustotal: Detection: 36%
                    Source: 6R24hlXGVS56Z6Y.exeReversingLabs: Detection: 61%
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe "C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe"
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess created: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess created: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6R24hlXGVS56Z6Y.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@2/2
                    Source: 6R24hlXGVS56Z6Y.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 0_2_00FC0546 push BD3742C6h; iretd 0_2_00FC0554
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 4_2_00610546 push BD3742C6h; iretd 4_2_00610554
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.84091961833
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000000.00000002.420611463.0000000003784000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6R24hlXGVS56Z6Y.exe PID: 6360, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.420611463.0000000003784000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.420611463.0000000003784000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe TID: 6356Thread sleep time: -43731s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe TID: 6028Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe TID: 2952Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe TID: 3396Thread sleep count: 4471 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe TID: 3396Thread sleep count: 4342 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWindow / User API: threadDelayed 4471Jump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWindow / User API: threadDelayed 4342Jump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeThread delayed: delay time: 43731Jump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466057935.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.453201353.000000000680F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.450117128.000000000680E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466236746.0000000006B2C000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.449482579.0000000006B2B000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643689646.0000000006B2E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.453574264.0000000006B2E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.461073416.0000000006B2E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455421039.0000000006B30000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643187937.0000000006803000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeMemory written: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess created: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.47468c0.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.458aa98.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.6R24hlXGVS56Z6Y.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.416014888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.422039966.000000000464E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.414120802.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.416564680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.638637561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6R24hlXGVS56Z6Y.exe PID: 6360, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 6R24hlXGVS56Z6Y.exe PID: 6520, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Source: Yara matchFile source: 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6R24hlXGVS56Z6Y.exe PID: 6520, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.47468c0.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.458aa98.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.6R24hlXGVS56Z6Y.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.416014888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.422039966.000000000464E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.414120802.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.416564680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.638637561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6R24hlXGVS56Z6Y.exe PID: 6360, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 6R24hlXGVS56Z6Y.exe PID: 6520, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception111
                    Process Injection                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		114
                    System Information Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Deobfuscate/Decode Files or Information                    		111
                    Input Capture                    		1
                    Query Registry                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model111
                    Input Capture                    		Scheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets131
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Modify Registry                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Remote System Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    6R24hlXGVS56Z6Y.exe37%VirustotalBrowse
                    6R24hlXGVS56Z6Y.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    6R24hlXGVS56Z6Y.exe100%AviraHEUR/AGEN.1235153
                    6R24hlXGVS56Z6Y.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    4.2.6R24hlXGVS56Z6Y.exe.600000.1.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.11.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.7.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.1.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    0.2.6R24hlXGVS56Z6Y.exe.fb0000.0.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.5.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.2.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.13.unpack100%AviraHEUR/AGEN.1235153Download File
                    0.0.6R24hlXGVS56Z6Y.exe.fb0000.0.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.0.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.9.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.2.6R24hlXGVS56Z6Y.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.3.unpack100%AviraHEUR/AGEN.1235153Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    samsung-tv.buzz2%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.goodfont.co.krom0%URL Reputationsafe
                    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                    http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                    http://ocsp.suscerte.gob.ve00%URL Reputationsafe
                    http://www.sandoll.co.krn-uK0%Avira URL Cloudsafe
                    http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
                    http://www.chambersign.org10%URL Reputationsafe
                    http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%URL Reputationsafe
                    http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                    http://www.fontbureau.comalsF0%URL Reputationsafe
                    http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                    http://www.founder.com.cn/cnht0%URL Reputationsafe
                    http://www.suscerte.gob.ve/dpc00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                    http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/$0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    http://policy.camerfirma.com00%URL Reputationsafe
                    http://www.carterandcone.coma0%URL Reputationsafe
                    http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?0%URL Reputationsafe
                    http://cps.letsencrypt.org00%URL Reputationsafe
                    http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                    http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
                    https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
                    http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/K0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.globaltrust.info00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/B0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://ac.economia.gob.mx/last.crl0G0%URL Reputationsafe
                    http://www.carterandcone.comof0%URL Reputationsafe
                    https://EEMzZM29crUf0q.org0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/l0%URL Reputationsafe
                    http://crl.oces.trust2408.com/oces.crl00%URL Reputationsafe
                    http://www.fontbureau.comals0%URL Reputationsafe
                    http://certs.oaticerts.com/repository/OATICA2.crl0%URL Reputationsafe
                    http://certs.oati.net/repository/OATICA2.crt00%URL Reputationsafe
                    http://www.accv.es000%URL Reputationsafe
                    http://www.fontbureau.comsivo$0%Avira URL Cloudsafe
                    http://web.ncdc.gov.sa/crl/nrcaparta1.crl0%URL Reputationsafe
                    http://www.carterandcone.com$0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/ue0%URL Reputationsafe
                    http://www.acabogacia.org00%URL Reputationsafe
                    https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                    http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
                    http://www.agesic.gub.uy/acrn/acrn.crl0)0%URL Reputationsafe
                    http://www.rcsc.lt/repository00%URL Reputationsafe
                    http://www.sandoll.co.krs-c0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://certs.oaticerts.com/repository/OATICA2.crt080%URL Reputationsafe
                    http://cps.chambersign.org/cps/chambersignroot.html00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/wa0%URL Reputationsafe
                    http://www.oaticerts.com/repository.0%URL Reputationsafe
                    http://www.ancert.com/cps00%URL Reputationsafe
                    http://ocsp.accv.es00%URL Reputationsafe
                    http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl00%URL Reputationsafe
                    http://www.echoworx.com/ca/root2/cps.pdf00%URL Reputationsafe
                    http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz030%URL Reputationsafe
                    http://samsung-tv.buzz0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl00%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/va0%URL Reputationsafe
                    http://crl.defence.gov.au/pki00%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    samsung-tv.buzz
                    		195.54.163.133
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.goodfont.co.krom6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.455661936.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454554430.0000000006803000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.certplus.com/CRL/class3.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://ocsp.suscerte.gob.ve06R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.krn-uK6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.dhimyotis.com/certignarootca.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454786394.00000000067A2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.chambersign.org16R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://repository.swisssign.com/06R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz06R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.ssc.lt/root-c/cacrl.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comalsF6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389669965.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389700798.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389756587.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389842823.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://ca.disig.sk/ca/crl/ca_disig.crl06R24hlXGVS56Z6Y.exe, 00000004.00000002.642919631.0000000006788000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454797413.00000000067A5000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455786336.00000000067A5000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnht6R24hlXGVS56Z6Y.exe, 00000000.00000003.383405212.00000000063BE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383502102.00000000063C4000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.suscerte.gob.ve/dpc06R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/86R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387557703.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387671462.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387511186.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387603719.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387434200.00000000063C3000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.disig.sk/ca/crl/ca_disig.crl06R24hlXGVS56Z6Y.exe, 00000004.00000002.642919631.0000000006788000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454797413.00000000067A5000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455786336.00000000067A5000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPlease6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/Y06R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/$6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cn6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385016258.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.como.6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385675011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385736791.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.ipify.org%6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		low
                          http://pki.registradores.org/normativa/index.htm06R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://policy.camerfirma.com06R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.anf.es/es/address-direccion.html6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.carterandcone.coma6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.anf.es/address/)1(0&6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466720672.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465548130.0000000006BC3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643882853.0000000006BC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://cps.letsencrypt.org06R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465916495.00000000067B7000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.642983870.00000000067B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.ssc.lt/root-b/cacrl.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454776252.0000000006C05000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.certicamara.com/dpc/0Z6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.pki.wellsfargo.com/wsprca.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.461073416.0000000006B2E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455241825.0000000006B2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/P6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://wwww.certigna.fr/autorites/0m6R24hlXGVS56Z6Y.exe, 00000004.00000003.454786394.00000000067A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf06R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454825636.0000000006C02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/K6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386261996.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386199122.00000000063BC000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386167015.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.anf.es/AC/ANFServerCA.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.globaltrust.info06R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/B6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386261996.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386199122.00000000063BC000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386167015.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.coml6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://ac.economia.gob.mx/last.crl0G6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comof6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://EEMzZM29crUf0q.org6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640941183.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt06R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/l6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386261996.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.oces.trust2408.com/oces.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://eca.hinet.net/repository06R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.comals6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://certs.oaticerts.com/repository/OATICA2.crl6R24hlXGVS56Z6Y.exe, 00000004.00000003.454913928.0000000006BFE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://certs.oati.net/repository/OATICA2.crt06R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.accv.es006R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comsivo$6R24hlXGVS56Z6Y.exe, 00000000.00000003.390359522.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390426618.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389842823.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390578615.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390486046.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf06R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://web.ncdc.gov.sa/crl/nrcaparta1.crl6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.com$6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385675011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385736791.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.datev.de/zertifikat-policy-int06R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cn/bThe6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/ue6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.acabogacia.org06R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.firmaprofesional.com/cps06R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.ipify.org%%startupfolder%6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		low
                                                http://crl.securetrust.com/SGCA.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454538794.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455625077.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.460720359.00000000067F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.agesic.gub.uy/acrn/acrn.crl0)6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.rcsc.lt/repository06R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sandoll.co.krs-c6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382675016.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.typography.netD6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://fontfabrik.com6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380606284.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380758503.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380677591.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380652171.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://web.certicamara.com/marco-legal0Z6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.quovadisglobal.com/cps06R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://x1.c.lencr.org/06R24hlXGVS56Z6Y.exe, 00000004.00000003.466057935.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643187937.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://x1.i.lencr.org/06R24hlXGVS56Z6Y.exe, 00000004.00000003.466057935.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643187937.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fonts.com6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.sandoll.co.kr6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382905321.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382675016.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.urwpp.de6R24hlXGVS56Z6Y.exe, 00000000.00000003.388329849.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://certs.oaticerts.com/repository/OATICA2.crt086R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://cps.chambersign.org/cps/chambersignroot.html06R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.anf.es/AC/RC/ocsp0c6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.jiyu-kobo.co.jp/wa6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.oaticerts.com/repository.6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.ancert.com/cps06R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://ocsp.accv.es06R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466720672.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465548130.0000000006BC3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643882853.0000000006BC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.echoworx.com/ca/root2/cps.pdf06R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://rca.e-szigno.hu/ocsp0-6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz036R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://samsung-tv.buzz6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://eca.hinet.net/repository/CRL2/CA.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.datev.de/zertifikat-policy-std06R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/jp/6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlN6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cn6R24hlXGVS56Z6Y.exe, 00000000.00000003.383604980.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384160713.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384516970.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.jiyu-kobo.co.jp/va6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf06R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crl.defence.gov.au/pki06R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  195.54.163.133
                                                                  		samsung-tv.buzzUkraine
                                                                  		15626ITLASUAtrue

                                                                  Private

                                                                  IP
                                                                  192.168.2.1

                                                                  General Information

                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                  Analysis ID:635212
                                                                  Start date and time: 27/05/202217:06:052022-05-27 17:06:05 +02:00
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 10m 58s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Sample file name:6R24hlXGVS56Z6Y.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:20
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@3/4@2/2
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HDC Information:
                                                                  • Successful, ratio: 2.2% (good quality ratio 1.7%)
                                                                  • Quality average: 19.5%
                                                                  • Quality standard deviation: 21.5%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 31
                                                                  • Number of non-executed functions: 1
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Adjust boot time
                                                                  • Enable AMSI

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 173.222.108.226, 173.222.108.210, 8.241.9.126, 8.241.79.254, 8.248.131.254, 8.241.9.254, 8.252.5.126
                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, arc.msn.com, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  17:07:32API Interceptor650x Sleep call for process: 6R24hlXGVS56Z6Y.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  195.54.163.133Order.docGet hashmaliciousBrowse
                                                                  • binatonezx.gq/cgi-sys/suspendedpage.cgi

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  samsung-tv.buzzDrYFu0WLwMjz5fY.exeGet hashmaliciousBrowse
                                                                  • 195.54.163.133
                                                                  3jcgfadOXAwcx1Y.exeGet hashmaliciousBrowse
                                                                  • 195.54.163.133

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  ITLASUADrYFu0WLwMjz5fY.exeGet hashmaliciousBrowse
                                                                  • 195.54.163.133
                                                                  3jcgfadOXAwcx1Y.exeGet hashmaliciousBrowse
                                                                  • 195.54.163.133
                                                                  28NAjbp3j2.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  rhlBYBsyCn.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  E95r2EO5Iq.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  8CTj6lT7NR.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  KYjbv4vju9.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  Oo3dV7N1HB.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  rACVYUqdxZ.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  5E6449A25E997068FFC6BE188E3E004EC7168ED4AADA8.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  7ucqTDGaXX.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  D8V31WZknG.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  qllgFYeLMa.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  base.apkGet hashmaliciousBrowse
                                                                  • 217.12.204.162
                                                                  setup.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  Jov9w120XP.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  s57Kzx55P4.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  yjgKnP7uVj.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120
                                                                  PRu3JHI5wzGet hashmaliciousBrowse
                                                                  • 217.12.214.46
                                                                  XLmp2YvKCN.exeGet hashmaliciousBrowse
                                                                  • 130.0.234.120

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  File Type:Microsoft Cabinet archive data, 61476 bytes, 1 file
                                                                  Category:dropped
                                                                  Size (bytes):61476
                                                                  Entropy (8bit):7.995018321729444
                                                                  Encrypted:true
                                                                  SSDEEP:1536:NATLwfiuePkACih0/8uIwf5CiqGLhk1V/AFnGegJR:N7nePk5gKsoBha/0GTf
                                                                  MD5:308336E7F515478969B24C13DED11EDE
                                                                  SHA1:8FB0CF42B77DBBEF224A1E5FC38ABC2486320775
                                                                  SHA-256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
                                                                  SHA-512:61AD97228CD6C3909EF3AC5E4940199971F293BDD0D5EB7916E60469573A44B6287C0FA1E0B6C1389DF35EB6C9A7D2A61FDB318D4A886A3821EF5A9DAB3AC24F
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:MSCF....$.......,...................I........w.........Tp. .authroot.stl.H#F..4..CK..<Tk...c_.d....A.F...,.&K..*i.RJJ..J.".%.KY"{n...."{..Lu3.Ln........y...........M.:...<. v...H..~.#Ov.a0xN....)..C..t.z.,x.00.1``L......L.\..1.|..2.1.0mD...H1/......G..UT7!...r.X:....D.0.0...M....I(.-.+..v#...(.r.....z.Y`&hw..Gl+.je.e.j..{.1......9f=.&.........s.W...L.].+...).f...u.....8....}R...w.X..>.A.Yw...a.x...T8V.e...^.7.q..t^.+....f.q).B.M......64.<!W(........D!.0.t "X...l.....D0.......+...A......0.o..t93.v..O1V x}H.S)....GH.6.l...p2.(4k.....!,.L`......h:.a]?......J9.\..Ww........%......a4E...q.*...#..a..y..M..R.t..Z2!.T.Ua.k.'O..\./ d.F>.V...3...._.J....."....wI..'..z...j..Ds...qZ...[..........O<.d.K..hH@c1....[w7..z...l....h,.b.........'.w.......bO.i{.......+.-...H..."<...L.Tu}.Y.lB.]3..4..G.3..`E..NF......{o.h]}p....G..$..4....;..&.O.d....v:Ik.T..ObLq..&.j.j...B9.(..!..\.:K`.....:O..N.....C..jD:.i.......1.....eCo.c..3o.........nN.D..3.7...

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):328
                                                                  Entropy (8bit):3.1008650894945404
                                                                  Encrypted:false
                                                                  SSDEEP:6:kKbXBmN+SkQlPlEGYRMY9z+4KlDA3RUecl7PG1:PkPlE99SNxAhUecl61
                                                                  MD5:73613CA04B78246223E042C2C658801F
                                                                  SHA1:1E28BFB3D44CA59265AB73743E70E5142E62345B
                                                                  SHA-256:425A28548A28D23A991340FF23F25679B3C6CF61F817A95E20D03271DCAA317B
                                                                  SHA-512:638B2416F7D87E6AE24B3D284EE725EE0F72B23C59CBC0174BBA40602A71B798E9CEBB067A702A3B7398407CF22A046D31EDE601358D30BD1BA9B584C54CDA12
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:p...... .........N..+r..(....................................................... ........3f..o......&...........$...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.3.3.6.6.b.4.9.0.6.f.d.8.1.:.0."...

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6R24hlXGVS56Z6Y.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1308
                                                                  Entropy (8bit):5.345811588615766
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                                  MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                                  SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                                  SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                                  SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                  C:\Users\user\AppData\Roaming\pbnwtogd.e0p\Chrome\Default\Cookies

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                  Category:modified
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):0.6951152985249047
                                                                  Encrypted:false
                                                                  SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
                                                                  MD5:EA7F9615D77815B5FFF7C15179C6C560
                                                                  SHA1:3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
                                                                  SHA-256:A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
                                                                  SHA-512:9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.821023279624439
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:6R24hlXGVS56Z6Y.exe
                                                                  File size:670720
                                                                  MD5:a9819b4b8ca61d132faa30c59482c10f
                                                                  SHA1:226725a9f34ade061c288e6a6faddd944fec8868
                                                                  SHA256:86a8ba97bde5b049538c73c0e8fc0484a0883422944eb5b988eec2233d004837
                                                                  SHA512:d5f258ced031dfcb55c5b50be6d86029da4ee56a323950ac22c8d39d1f9003f76ef9183694558d2e50041326d96358b4cb3ee0fbffb1572db500a4e8dc0e858f
                                                                  SSDEEP:12288:m5lbHo6UHQKywl4DsE84eys2wSO4h0VR81ZnUv3/rWXMnM3jNbazUatGG:qbHoSY+X59O4mVRaVA6XIMz4zUmGG
                                                                  TLSH:8EE40119F771A9E6E45C03BE3071183A2F64CB33E5BEE65D68A8711328742C6055BECB
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.....................L........... ... ....@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:31b1393969391b39

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4a0cce
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x628FCA9D [Thu May 26 18:44:45 2022 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa0c740x57.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x488c.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa80000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x9ecd40x9ee00False0.89987737264data7.84091961833IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xa20000x488c0x4a00False0.663481841216data6.51566732649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xa80000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0xa21300x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294268550, next used block 4294202757
                                                                  RT_GROUP_ICON0xa63580x14data
                                                                  RT_VERSION0xa636c0x36cdata
                                                                  RT_MANIFEST0xa66d80x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright 2017
                                                                  Assembly Version1.0.0.0
                                                                  InternalNameInternalRemotingServi.exe
                                                                  FileVersion1.0.0.0
                                                                  CompanyNameMicrosoft
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameBlockGame App
                                                                  ProductVersion1.0.0.0
                                                                  FileDescriptionBlockGame App
                                                                  OriginalFilenameInternalRemotingServi.exe

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 27, 2022 17:07:49.467278957 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:49.519980907 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:49.520078897 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:50.788113117 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:50.793912888 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:50.846843004 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:50.847846031 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:50.902426004 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:50.975701094 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:51.033668041 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:51.033704996 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:51.033727884 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:51.033746958 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:51.033838987 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:51.033890009 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:51.035263062 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:51.068314075 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:51.123451948 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:51.227827072 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.210067987 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.262901068 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.263456106 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.316687107 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.317521095 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.381045103 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.382733107 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.437756062 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.438234091 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.531240940 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.532419920 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.585324049 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.586633921 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.586780071 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.587353945 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.587445021 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.639424086 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.639447927 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.639707088 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.639774084 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.642030001 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.737564087 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:01.502274036 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:01.594315052 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:01.831399918 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:01.832993984 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:01.936984062 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:01.989752054 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:01.990533113 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:02.093596935 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.093878984 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:02.146786928 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.153640985 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:02.209285975 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.209944010 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:02.276432037 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.276474953 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.276516914 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.276531935 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.276659012 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:02.279386044 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.282840967 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:02.336025953 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.431888103 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.304214954 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.356868982 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.357686043 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.410973072 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.412344933 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.466396093 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.466887951 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.519746065 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.520354986 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.609772921 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.610182047 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.663034916 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.666685104 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.666870117 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.666899920 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.666997910 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.667155027 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.667238951 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.667314053 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.667390108 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.719479084 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719531059 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719542027 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719558001 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719616890 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719657898 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719672918 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719686985 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719865084 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.723057032 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.822653055 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:09:29.357263088 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:09:29.449362993 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:09:29.683396101 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:09:29.684130907 CEST49780587192.168.2.6195.54.163.133

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 27, 2022 17:07:49.407982111 CEST6111653192.168.2.68.8.8.8
                                                                  May 27, 2022 17:07:49.438499928 CEST53611168.8.8.8192.168.2.6
                                                                  May 27, 2022 17:08:01.902328968 CEST5002953192.168.2.68.8.8.8
                                                                  May 27, 2022 17:08:01.933845043 CEST53500298.8.8.8192.168.2.6

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  May 27, 2022 17:07:49.407982111 CEST192.168.2.68.8.8.80x9836Standard query (0)samsung-tv.buzzA (IP address)IN (0x0001)
                                                                  May 27, 2022 17:08:01.902328968 CEST192.168.2.68.8.8.80x8455Standard query (0)samsung-tv.buzzA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  May 27, 2022 17:07:49.438499928 CEST8.8.8.8192.168.2.60x9836No error (0)samsung-tv.buzz195.54.163.133A (IP address)IN (0x0001)
                                                                  May 27, 2022 17:08:01.933845043 CEST8.8.8.8192.168.2.60x8455No error (0)samsung-tv.buzz195.54.163.133A (IP address)IN (0x0001)

                                                                  SMTP Packets

                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  May 27, 2022 17:07:50.788113117 CEST58749774195.54.163.133192.168.2.6220-cp5ua.hyperhost.ua ESMTP Exim 4.95 #2 Fri, 27 May 2022 18:07:50 +0300
                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                  220 and/or bulk e-mail.
                                                                  May 27, 2022 17:07:50.793912888 CEST49774587192.168.2.6195.54.163.133EHLO 358075
                                                                  May 27, 2022 17:07:50.846843004 CEST58749774195.54.163.133192.168.2.6250-cp5ua.hyperhost.ua Hello 358075 [102.129.143.42]
                                                                  250-SIZE 52428800
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPE_CONNECT
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  May 27, 2022 17:07:50.847846031 CEST49774587192.168.2.6195.54.163.133STARTTLS
                                                                  May 27, 2022 17:07:50.902426004 CEST58749774195.54.163.133192.168.2.6220 TLS go ahead
                                                                  May 27, 2022 17:08:02.093596935 CEST58749780195.54.163.133192.168.2.6220-cp5ua.hyperhost.ua ESMTP Exim 4.95 #2 Fri, 27 May 2022 18:08:01 +0300
                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                  220 and/or bulk e-mail.
                                                                  May 27, 2022 17:08:02.093878984 CEST49780587192.168.2.6195.54.163.133EHLO 358075
                                                                  May 27, 2022 17:08:02.146786928 CEST58749780195.54.163.133192.168.2.6250-cp5ua.hyperhost.ua Hello 358075 [102.129.143.42]
                                                                  250-SIZE 52428800
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPE_CONNECT
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  May 27, 2022 17:08:02.153640985 CEST49780587192.168.2.6195.54.163.133STARTTLS
                                                                  May 27, 2022 17:08:02.209285975 CEST58749780195.54.163.133192.168.2.6220 TLS go ahead

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:17:07:20
                                                                  Start date:27/05/2022
                                                                  Path:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe"
                                                                  Imagebase:0xfb0000
                                                                  File size:670720 bytes
                                                                  MD5 hash:A9819B4B8CA61D132FAA30C59482C10F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.420611463.0000000003784000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.425573285.0000000007E20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.422039966.000000000464E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.422039966.000000000464E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:4
                                                                  Start time:17:07:39
                                                                  Start date:27/05/2022
                                                                  Path:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  Imagebase:0x600000
                                                                  File size:670720 bytes
                                                                  MD5 hash:A9819B4B8CA61D132FAA30C59482C10F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.416014888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.416014888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.414120802.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.414120802.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.416564680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.416564680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.638637561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.638637561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:10.8%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:38
                                                                    Total number of Limit Nodes:3
                                                                    execution_graph 9960 18fddc8 GetCurrentProcess 9961 18fde3b 9960->9961 9962 18fde42 GetCurrentThread 9960->9962 9961->9962 9963 18fde7f GetCurrentProcess 9962->9963 9964 18fde78 9962->9964 9965 18fdeb5 9963->9965 9964->9963 9966 18fdedd GetCurrentThreadId 9965->9966 9967 18fdf0e 9966->9967 9968 18f40d0 9969 18f40da 9968->9969 9971 18f41c1 9968->9971 9972 18f41e5 9971->9972 9976 18f42b0 9972->9976 9980 18f42c0 9972->9980 9978 18f42e7 9976->9978 9977 18f43c4 9977->9977 9978->9977 9984 18f38a8 9978->9984 9981 18f42e7 9980->9981 9982 18f38a8 CreateActCtxA 9981->9982 9983 18f43c4 9981->9983 9982->9983 9985 18f5350 CreateActCtxA 9984->9985 9987 18f5413 9985->9987 9988 18fb9f0 9991 18fbad9 9988->9991 9989 18fb9ff 9992 18fbafb 9991->9992 9993 18fbb13 9992->9993 9998 18fbd70 9992->9998 9993->9989 9994 18fbb0b 9994->9993 9995 18fbd10 GetModuleHandleW 9994->9995 9996 18fbd3d 9995->9996 9996->9989 9999 18fbd84 9998->9999 10001 18fbda9 9999->10001 10002 18fb048 9999->10002 10001->9994 10003 18fbf50 LoadLibraryExW 10002->10003 10005 18fbfc9 10003->10005 10005->10001 10006 18fdff0 DuplicateHandle 10007 18fe086 10006->10007

                                                                    Executed Functions

                                                                    Function 018F6D9E Relevance: .4, Instructions: 359COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 554 18f6d9e-18f6f31 574 18f6f6b-18f6f6d 554->574 575 18f6f33-18f6f69 554->575 576 18f6f6f-18f6f71 574->576 577 18f6f73-18f6f7d 574->577 575->574 579 18f6f7f-18f6f97 576->579 577->579 581 18f6f9d-18f6fa5 579->581 582 18f6f99-18f6f9b 579->582 583 18f6fa7-18f6fac 581->583 582->583 586 18f6fae-18f6fbe 583->586 587 18f6fc3-18f6fee 583->587 586->587 590 18f7029-18f7033 587->590 591 18f6ff0-18f6ffc 587->591 592 18f703c-18f70ca 590->592 593 18f7035 590->593 591->590 594 18f6ffe-18f700b 591->594 604 18f70cc-18f7106 592->604 605 18f7108-18f7116 592->605 593->592 597 18f700d-18f700f 594->597 598 18f7011-18f7024 594->598 597->590 598->590 608 18f7121-18f7233 call 18f7df0 604->608 605->608 617 18f7235-18f7251 608->617 618 18f7261-18f727d 608->618 623 18f7257 617->623 620 18f727f 618->620 621 18f728b-18f72d5 618->621 620->621 621->623 626 18f72d7 621->626 625 18f725d-18f725f 623->625 625->617 625->618
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.418902978.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_18f0000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 76545d1024d1f0831d9882b7e223ce3e3886f4e00b25591a5ac2219d9dd5ffa9
                                                                    • Instruction ID: c8c085904d5a7227536487aead0a0dda3d2a45d541b517be0f5dd3387a340e75
                                                                    • Opcode Fuzzy Hash: 76545d1024d1f0831d9882b7e223ce3e3886f4e00b25591a5ac2219d9dd5ffa9
                                                                    • Instruction Fuzzy Hash: 30E16C75A1052A9FDB14CF79D880AAEB7F2FF88304B11D669D406EB359DB34A901CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 018F7DF0 Relevance: .2, Instructions: 235COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 771 18f7df0-18f7e22 775 18f7e2d-18f7e38 771->775 776 18f7e24-18f7e2b call 18f7d10 771->776 776->775 779 18f7e39-18f7e5f 776->779 782 18f7e65-18f7eba 779->782 783 18f80c1-18f80da 779->783 791 18f7ebc-18f7ec3 782->791 792 18f7ecb-18f7ed0 782->792 784 18f80e1-18f80e9 783->784 791->792 793 18f7eda-18f7edc 792->793 794 18f7ed2-18f7ed6 792->794 797 18f7eef-18f7f28 793->797 798 18f7ede-18f7ee7 793->798 794->793 796 18f7ed8 794->796 796->793 804 18f7f30-18f7fd5 797->804 798->797 813 18f806d-18f80bc call 18f7bb0 804->813 814 18f7fdb-18f7fe1 804->814 813->783 816 18f7fe3-18f7fe8 814->816 817 18f7ff0-18f7ff9 814->817 816->817 818 18f7fff-18f803a 817->818 819 18f80dc 817->819 820 18f803c-18f8041 818->820 821 18f8049-18f8052 818->821 819->784 820->821 821->819 822 18f8058-18f8067 821->822 822->813 822->814
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.418902978.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_18f0000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 151be297b6dfc310b05f85fee65bc521cf8222fced5b42b297116d8323b441d5
                                                                    • Instruction ID: aad8e24a551cebe2cc4d7a1a07ae59f0f4d58e63e81b22717d57e97b2407e7c4
                                                                    • Opcode Fuzzy Hash: 151be297b6dfc310b05f85fee65bc521cf8222fced5b42b297116d8323b441d5
                                                                    • Instruction Fuzzy Hash: 6B816C32F102259FD714DB69CC80A9EB7E3AFC8714F1A8169E505EB765DF34AD018B90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 018F6A08 Relevance: .2, Instructions: 208COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.418902978.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_18f0000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 30ee3021dd4f297154aa58a43222e944396a7c4f01c1d5e7d79c66098efc083e
                                                                    • Instruction ID: c93af72dcda773e1867f7ec1d4dce82f29161ab20d303273c377bcd02c5d7ad1
                                                                    • Opcode Fuzzy Hash: 30ee3021dd4f297154aa58a43222e944396a7c4f01c1d5e7d79c66098efc083e
                                                                    • Instruction Fuzzy Hash: 0C7106B8E4010E9FDF14CFAAD584ABDBBF1FB49304F20A259D012EB254DB31AA05CB55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 018FDDC8 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 018FDE28
                                                                    • GetCurrentThread.KERNEL32 ref: 018FDE65
                                                                    • GetCurrentProcess.KERNEL32 ref: 018FDEA2
                                                                    • GetCurrentThreadId.KERNEL32 ref: 018FDEFB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.418902978.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_18f0000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: 0143d10bb28755ca0bc01d29656299f650c7b030e19f7fc7210fb2c7daab88c4
                                                                    • Instruction ID: da7d5b6c705d80ce0893a27128725f95b7bb7c07d9bb27ebf0c6fae51e02e70b
                                                                    • Opcode Fuzzy Hash: 0143d10bb28755ca0bc01d29656299f650c7b030e19f7fc7210fb2c7daab88c4
                                                                    • Instruction Fuzzy Hash: 855152B09006898FDB14CFA9C948BDEBBF0EF88304F24855AE619BB350D7746944CB65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 018FBAD9 Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 018FBD2E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.418902978.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_18f0000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: aaa9400c86ba1e6eba76c4e8097b5e0bd608ffaf8c2ad9af44ca674485fc18ba
                                                                    • Instruction ID: d04ceab1b913271c2887546080e031c4a293cd1e75f097cce0f03cff2b3e0dd9
                                                                    • Opcode Fuzzy Hash: aaa9400c86ba1e6eba76c4e8097b5e0bd608ffaf8c2ad9af44ca674485fc18ba
                                                                    • Instruction Fuzzy Hash: BC812370A00B098FD764DF29D48479ABBF1FF88304F008A2ED696DBA54DB74E945CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 018F5344 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 76 18f5344-18f5411 CreateActCtxA 78 18f541a-18f5474 76->78 79 18f5413-18f5419 76->79 86 18f5476-18f5479 78->86 87 18f5483-18f5487 78->87 79->78 86->87 88 18f5489-18f5495 87->88 89 18f5498 87->89 88->89 91 18f5499 89->91 91->91
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 018F5401
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.418902978.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_18f0000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: d25cca6b43a3e20f1191e7d796861773e9a40c79ff0b0eeba7928cb792c0217f
                                                                    • Instruction ID: 9f27a81eb4b35bed84fe4b17c051c3ed9e588004c05db22f249e70840ea226d9
                                                                    • Opcode Fuzzy Hash: d25cca6b43a3e20f1191e7d796861773e9a40c79ff0b0eeba7928cb792c0217f
                                                                    • Instruction Fuzzy Hash: 3841E1B0D04628CEDB24CFA9C884BDDBBB1FF48304F25816AD508AB255DB756A49CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 018F38A8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 92 18f38a8-18f5411 CreateActCtxA 95 18f541a-18f5474 92->95 96 18f5413-18f5419 92->96 103 18f5476-18f5479 95->103 104 18f5483-18f5487 95->104 96->95 103->104 105 18f5489-18f5495 104->105 106 18f5498 104->106 105->106 108 18f5499 106->108 108->108
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 018F5401
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.418902978.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_18f0000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 0bd91b1e8935bf7c86368df7113540d23e9b3efdf520143aa65069b29e775b51
                                                                    • Instruction ID: babb9e4b263388292efc1bac57a295cbac303e70ab3a2ab79d54e7449a611222
                                                                    • Opcode Fuzzy Hash: 0bd91b1e8935bf7c86368df7113540d23e9b3efdf520143aa65069b29e775b51
                                                                    • Instruction Fuzzy Hash: C841E3B1D0466CCBDB24CFA9C884B8DBBB1FF48304F25806AD508AB251DB756945CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 018FDFF0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 109 18fdff0-18fe084 DuplicateHandle 110 18fe08d-18fe0aa 109->110 111 18fe086-18fe08c 109->111 111->110
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018FE077
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.418902978.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_18f0000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 1a966fc2f7ff00e4fbc2fa5e7742f152eb20465452d59d3b8c4d6812311667ae
                                                                    • Instruction ID: ef00a6be65aa64aa2484573572d0226197b0a612cec12f11bb8514f329f38d03
                                                                    • Opcode Fuzzy Hash: 1a966fc2f7ff00e4fbc2fa5e7742f152eb20465452d59d3b8c4d6812311667ae
                                                                    • Instruction Fuzzy Hash: 3C21E2B59002489FDB10CFAAD884ADEBBF8FB48320F15801AE914A3310D374AA44DFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 018FB048 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 114 18fb048-18fbf90 116 18fbf98-18fbfc7 LoadLibraryExW 114->116 117 18fbf92-18fbf95 114->117 118 18fbfc9-18fbfcf 116->118 119 18fbfd0-18fbfed 116->119 117->116 118->119
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018FBDA9,00000800,00000000,00000000), ref: 018FBFBA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.418902978.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_18f0000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: b0b238af9faa283be10f1b1523a35eacd5d04db9233ad85d7c54edf1c942036f
                                                                    • Instruction ID: 618a1e225b9df44a1101a9dfe27958a8bd3e55688958a54dc2983acc32116f35
                                                                    • Opcode Fuzzy Hash: b0b238af9faa283be10f1b1523a35eacd5d04db9233ad85d7c54edf1c942036f
                                                                    • Instruction Fuzzy Hash: 991103B29043498FDB10CF9AC844ADEFBF4EB48314F04842EE615B7600C375A645CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 018FBCC8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 122 18fbcc8-18fbd08 123 18fbd0a-18fbd0d 122->123 124 18fbd10-18fbd3b GetModuleHandleW 122->124 123->124 125 18fbd3d-18fbd43 124->125 126 18fbd44-18fbd58 124->126 125->126
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 018FBD2E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.418902978.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_18f0000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: b616685c8cef0c2e0bceee68911dc55efb4c2bd480b704b0a5ab5db87a01492a
                                                                    • Instruction ID: 020f66cd2722c1ab7057d5dd85f13ad0005869b0ee41a52ef14477f960c23a99
                                                                    • Opcode Fuzzy Hash: b616685c8cef0c2e0bceee68911dc55efb4c2bd480b704b0a5ab5db87a01492a
                                                                    • Instruction Fuzzy Hash: A41110B1C002498FDB10DF9AC444BDEFBF4EF88324F14841AD919A7240C374A645CFA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 018F8102 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.418902978.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_18f0000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: f52c47cb495f00da86cbfb2c596650349f138c83578efeaa3fc96dafdbeba0d5
                                                                    • Instruction ID: 37f16053b10da727de0e36d54c1f6e52e51808fae8226f6fdb7781c81abd2a93
                                                                    • Opcode Fuzzy Hash: f52c47cb495f00da86cbfb2c596650349f138c83578efeaa3fc96dafdbeba0d5
                                                                    • Instruction Fuzzy Hash: E651DF75B001098FCB14DBACD8845AEB7F2FFC9315B29856AD60ADB359DB30ED418B81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:17.1%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:121
                                                                    Total number of Limit Nodes:1
                                                                    execution_graph 18733 4e04540 18734 4e04554 18733->18734 18737 4e0478a 18734->18737 18744 4e04870 18737->18744 18748 4e0485f 18737->18748 18752 4e0496c 18737->18752 18756 4e049e8 18737->18756 18760 4e04986 18737->18760 18738 4e0455d 18745 4e048b4 18744->18745 18746 4e049ab 18745->18746 18764 4e04c67 18745->18764 18749 4e048b4 18748->18749 18750 4e049ab 18749->18750 18751 4e04c67 2 API calls 18749->18751 18751->18750 18753 4e0491f 18752->18753 18754 4e049ab 18753->18754 18755 4e04c67 2 API calls 18753->18755 18755->18754 18757 4e049ee 18756->18757 18758 4e04a00 18757->18758 18777 4e04f1f 18757->18777 18758->18738 18761 4e04999 18760->18761 18762 4e049ab 18760->18762 18763 4e04c67 2 API calls 18761->18763 18763->18762 18765 4e04c86 18764->18765 18769 4e04cb8 18765->18769 18773 4e04cc8 18765->18773 18766 4e04c96 18766->18746 18770 4e04d02 18769->18770 18771 4e04d2c RtlEncodePointer 18770->18771 18772 4e04d55 18770->18772 18771->18772 18772->18766 18774 4e04d02 18773->18774 18775 4e04d2c RtlEncodePointer 18774->18775 18776 4e04d55 18774->18776 18775->18776 18776->18766 18778 4e04f2a 18777->18778 18779 4e04f8f 18777->18779 18778->18758 18780 4e04fd7 RtlEncodePointer 18779->18780 18781 4e05000 18779->18781 18780->18781 18781->18758 18782 4e0add0 18783 4e0adee 18782->18783 18786 4e09dc0 18783->18786 18785 4e0ae25 18788 4e0c8f0 LoadLibraryA 18786->18788 18789 4e0c9cc 18788->18789 18790 4e00850 18791 4e0085d 18790->18791 18794 5b16050 18791->18794 18792 4e0086f 18795 5b16070 18794->18795 18798 5b166f0 18795->18798 18796 5b160e3 18796->18792 18800 5b166f9 18798->18800 18799 5b167ed 18799->18796 18800->18799 18802 5b16808 18800->18802 18803 5b16827 18802->18803 18804 5b1684f 18803->18804 18816 5b17c70 18803->18816 18824 5b1796a 18803->18824 18832 5b17dc9 18803->18832 18840 5b17d84 18803->18840 18848 5b18405 18803->18848 18852 5b17fa3 18803->18852 18860 5b18441 18803->18860 18864 5b17d3f 18803->18864 18872 5b17cfa 18803->18872 18880 5b17c34 18803->18880 18888 5b17cb5 18803->18888 18817 5b17c81 18816->18817 18818 5b17fc7 KiUserExceptionDispatcher 18817->18818 18819 5b17fe6 KiUserExceptionDispatcher 18818->18819 18821 5b18253 KiUserExceptionDispatcher 18819->18821 18823 5b18478 18821->18823 18823->18804 18825 5b17970 KiUserExceptionDispatcher 18824->18825 18827 5b17fe6 KiUserExceptionDispatcher 18825->18827 18829 5b18253 KiUserExceptionDispatcher 18827->18829 18831 5b18478 18829->18831 18831->18804 18833 5b17dda 18832->18833 18834 5b17fc7 KiUserExceptionDispatcher 18833->18834 18835 5b17fe6 KiUserExceptionDispatcher 18834->18835 18837 5b18253 KiUserExceptionDispatcher 18835->18837 18839 5b18478 18837->18839 18839->18804 18841 5b17d95 18840->18841 18842 5b17fc7 KiUserExceptionDispatcher 18841->18842 18843 5b17fe6 KiUserExceptionDispatcher 18842->18843 18845 5b18253 KiUserExceptionDispatcher 18843->18845 18847 5b18478 18845->18847 18847->18804 18849 5b18416 18848->18849 18850 5b1845c KiUserExceptionDispatcher 18849->18850 18851 5b18478 18850->18851 18851->18804 18853 5b17fb4 18852->18853 18854 5b17fc7 KiUserExceptionDispatcher 18853->18854 18855 5b17fe6 KiUserExceptionDispatcher 18854->18855 18857 5b18253 KiUserExceptionDispatcher 18855->18857 18859 5b18478 18857->18859 18859->18804 18861 5b18452 18860->18861 18862 5b1845c KiUserExceptionDispatcher 18861->18862 18863 5b18478 18862->18863 18863->18804 18865 5b17d50 18864->18865 18866 5b17fc7 KiUserExceptionDispatcher 18865->18866 18867 5b17fe6 KiUserExceptionDispatcher 18866->18867 18869 5b18253 KiUserExceptionDispatcher 18867->18869 18871 5b18478 18869->18871 18871->18804 18873 5b17d0b 18872->18873 18874 5b17fc7 KiUserExceptionDispatcher 18873->18874 18875 5b17fe6 KiUserExceptionDispatcher 18874->18875 18877 5b18253 KiUserExceptionDispatcher 18875->18877 18879 5b18478 18877->18879 18879->18804 18881 5b17c45 18880->18881 18882 5b17fc7 KiUserExceptionDispatcher 18881->18882 18883 5b17fe6 KiUserExceptionDispatcher 18882->18883 18885 5b18253 KiUserExceptionDispatcher 18883->18885 18887 5b18478 18885->18887 18887->18804 18889 5b17cc6 18888->18889 18890 5b17fc7 KiUserExceptionDispatcher 18889->18890 18891 5b17fe6 KiUserExceptionDispatcher 18890->18891 18893 5b18253 KiUserExceptionDispatcher 18891->18893 18895 5b18478 18893->18895 18895->18804 18896 4e0fc98 18897 4e0fcda 18896->18897 18899 4e0fce1 18896->18899 18898 4e0fd32 CallWindowProcW 18897->18898 18897->18899 18898->18899

                                                                    Executed Functions

                                                                    Function 05B1796A Relevance: 4.8, APIs: 3, Instructions: 347COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 5b1796a-5b18622 KiUserExceptionDispatcher * 3 140 5b18628-5b18677 0->140
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B17FC7
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B18234
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B1845C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.642330237.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5b10000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser
                                                                    • String ID:
                                                                    • API String ID: 6842923-0
                                                                    • Opcode ID: f7cd080ad5c04986e62d59e081889b18612171821e8cba223ac9e9ec0df0bfb2
                                                                    • Instruction ID: 3bf87e1f79e401a7a6d62a04631139e6983ff0d144e0a3159bab484091b1c3ac
                                                                    • Opcode Fuzzy Hash: f7cd080ad5c04986e62d59e081889b18612171821e8cba223ac9e9ec0df0bfb2
                                                                    • Instruction Fuzzy Hash: 77021735901259CFCB69DF70D889699B7B2FF49306F6041E9E90AA3354CB39AE81CF11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05B17C34 Relevance: 4.8, APIs: 3, Instructions: 275COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B17FC7
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B18234
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B1845C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.642330237.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5b10000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser
                                                                    • String ID:
                                                                    • API String ID: 6842923-0
                                                                    • Opcode ID: 355770e457baab221a790502e2571cfbd0dff82bace14f0c38c55a47bc6d5379
                                                                    • Instruction ID: 8f4fde0b031d71f8aff8205444982583511465ba6e5cb47191657c39268ced20
                                                                    • Opcode Fuzzy Hash: 355770e457baab221a790502e2571cfbd0dff82bace14f0c38c55a47bc6d5379
                                                                    • Instruction Fuzzy Hash: 3CE12735901258CFCBA5DF70D889699B7B2FF49306F6041E9E90AA3354CB39AE81CF11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05B17C70 Relevance: 4.8, APIs: 3, Instructions: 270COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B17FC7
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B18234
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B1845C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.642330237.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5b10000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser
                                                                    • String ID:
                                                                    • API String ID: 6842923-0
                                                                    • Opcode ID: 7781ac67ba18d7bdc96d5c8a860ffc982b297ba9a9f8bb61050eceb7382728e8
                                                                    • Instruction ID: ebe5e1851e6b9d24ce1fe648edcfe97a702ad5dfbb7798fd31bffd91c7e0acf7
                                                                    • Opcode Fuzzy Hash: 7781ac67ba18d7bdc96d5c8a860ffc982b297ba9a9f8bb61050eceb7382728e8
                                                                    • Instruction Fuzzy Hash: 43E11835901258CFCBA5DF74D889699B7B2FF49306F6041D9E90AA3354CB39AE81CF11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05B17CB5 Relevance: 4.8, APIs: 3, Instructions: 263COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B17FC7
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B18234
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B1845C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.642330237.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5b10000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser
                                                                    • String ID:
                                                                    • API String ID: 6842923-0
                                                                    • Opcode ID: a9287978d163260769e7d5be7130bb4c4c9bcae7adc4f99d4bac00bf164bb5d9
                                                                    • Instruction ID: 85c6a2a320e241d028aa2ddea58ac3acc02d51d5346dffeb053222a4c53f3b00
                                                                    • Opcode Fuzzy Hash: a9287978d163260769e7d5be7130bb4c4c9bcae7adc4f99d4bac00bf164bb5d9
                                                                    • Instruction Fuzzy Hash: C5D10735901258CFCBA5DF74D889699B7B2FF49306F6041E9E90AA3354CB39AE81CF11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05B17CFA Relevance: 4.8, APIs: 3, Instructions: 256COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B17FC7
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B18234
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B1845C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.642330237.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5b10000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser
                                                                    • String ID:
                                                                    • API String ID: 6842923-0
                                                                    • Opcode ID: 2c3e0dbcf52017af58b558cc5e662e581007046bb2609a0177a1879cb8c6e9c3
                                                                    • Instruction ID: 19dad3997aced3099859de948bea374563c90edfe80c1e05f1fa5d288f42f7e6
                                                                    • Opcode Fuzzy Hash: 2c3e0dbcf52017af58b558cc5e662e581007046bb2609a0177a1879cb8c6e9c3
                                                                    • Instruction Fuzzy Hash: CED11835901258CFCBA5DF74D889699B7B2FF49306F6041D9E90AA3354CB39AE81CF11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05B17D3F Relevance: 4.7, APIs: 3, Instructions: 249COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B17FC7
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B18234
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B1845C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.642330237.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5b10000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser
                                                                    • String ID:
                                                                    • API String ID: 6842923-0
                                                                    • Opcode ID: 3522bf30680c6f8007bf3de09aef791c173a54a43986f2f692294c14e72f6581
                                                                    • Instruction ID: 9284a463d0752a31c50f952f316e3a5fb11096bb4fbb6bd403c67097f987bc88
                                                                    • Opcode Fuzzy Hash: 3522bf30680c6f8007bf3de09aef791c173a54a43986f2f692294c14e72f6581
                                                                    • Instruction Fuzzy Hash: A1D10835901258CFCBA5DF74D889699B7B2FF49306F6041D9E90AA3354CB39AE81CF11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05B17D84 Relevance: 4.7, APIs: 3, Instructions: 242COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B17FC7
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B18234
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B1845C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.642330237.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5b10000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser
                                                                    • String ID:
                                                                    • API String ID: 6842923-0
                                                                    • Opcode ID: 985383b93072649f12b815a19584498d583546205d29bf9837f1078ee09af9c8
                                                                    • Instruction ID: a5b32ddb7d277f6dca9e83f701eac6f5535ef28ddb509be5f224da16c470ec61
                                                                    • Opcode Fuzzy Hash: 985383b93072649f12b815a19584498d583546205d29bf9837f1078ee09af9c8
                                                                    • Instruction Fuzzy Hash: 3DC10735901268CFCBA5DF74D889699B7B2FF49306F6041E9E90AA3354CB396E81CF11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05B17DC9 Relevance: 4.7, APIs: 3, Instructions: 235COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B17FC7
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B18234
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B1845C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.642330237.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5b10000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser
                                                                    • String ID:
                                                                    • API String ID: 6842923-0
                                                                    • Opcode ID: 5d8f91b6258e3f5cf2b80616f0500ae419af7c1bb4d9bbfd359d9ebed7344672
                                                                    • Instruction ID: ccd9ed68115cee5b8950085e755694d93d9c8a3c22e5b1a59989c1fe97a665aa
                                                                    • Opcode Fuzzy Hash: 5d8f91b6258e3f5cf2b80616f0500ae419af7c1bb4d9bbfd359d9ebed7344672
                                                                    • Instruction Fuzzy Hash: E7C10635901268CFCBA5DF74D889699B7B2FF49306F6041D9E90AA3354CB396E81CF11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05B17FA3 Relevance: 4.7, APIs: 3, Instructions: 186COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B17FC7
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B18234
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B1845C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.642330237.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5b10000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser
                                                                    • String ID:
                                                                    • API String ID: 6842923-0
                                                                    • Opcode ID: 5b36de1dad69432c51bfa2a558ac920ff712e8e248e9e0bc9c268c5ed38e3c63
                                                                    • Instruction ID: 9101f83454126772b059a6368b1c088a2bbad653c9df1773bce6ccd281a31e6f
                                                                    • Opcode Fuzzy Hash: 5b36de1dad69432c51bfa2a558ac920ff712e8e248e9e0bc9c268c5ed38e3c63
                                                                    • Instruction Fuzzy Hash: 49A12535901268CFCBA5DF74D889699B7B2FF49306F6041E9E90AA3354CB35AE81CF11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04E0FC98 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 961 4e0fc98-4e0fcd4 962 4e0fd84-4e0fda4 961->962 963 4e0fcda-4e0fcdf 961->963 969 4e0fda7-4e0fdb4 962->969 964 4e0fce1-4e0fd18 963->964 965 4e0fd32-4e0fd6a CallWindowProcW 963->965 972 4e0fd21-4e0fd30 964->972 973 4e0fd1a-4e0fd20 964->973 966 4e0fd73-4e0fd82 965->966 967 4e0fd6c-4e0fd72 965->967 966->969 967->966 972->969 973->972
                                                                    APIs
                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 04E0FD59
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.641551276.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4e00000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: CallProcWindow
                                                                    • String ID:
                                                                    • API String ID: 2714655100-0
                                                                    • Opcode ID: 3e49ad63a44ca2efc83961df239113fd1d0a65684534c870250da3a079a88559
                                                                    • Instruction ID: df32791c8a88ab185a8e51a38936f1b7f06ab185e663bf57bad89269647512be
                                                                    • Opcode Fuzzy Hash: 3e49ad63a44ca2efc83961df239113fd1d0a65684534c870250da3a079a88559
                                                                    • Instruction Fuzzy Hash: 324116B4A00245CFDB14CF99C488BAABBF5FF88314F15C459E529AB361D774A841CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04E09DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 975 4e09dc0-4e0c947 977 4e0c980-4e0c9ca LoadLibraryA 975->977 978 4e0c949-4e0c953 975->978 983 4e0c9d3-4e0ca04 977->983 984 4e0c9cc-4e0c9d2 977->984 978->977 979 4e0c955-4e0c957 978->979 981 4e0c959-4e0c963 979->981 982 4e0c97a-4e0c97d 979->982 985 4e0c965 981->985 986 4e0c967-4e0c976 981->986 982->977 990 4e0ca14 983->990 991 4e0ca06-4e0ca0a 983->991 984->983 985->986 986->986 988 4e0c978 986->988 988->982 993 4e0ca15 990->993 991->990 992 4e0ca0c 991->992 992->990 993->993
                                                                    APIs
                                                                    • LoadLibraryA.KERNELBASE(?), ref: 04E0C9BA
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.641551276.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4e00000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 7611f0761e1161ff5e09d0dac45e40099ecd2fc79914d0ab8e544519e20c6634
                                                                    • Instruction ID: 3040a9b14d27eb2a0dbbf3846c40520ec4526156636cf6750b3f9fefca9e32bd
                                                                    • Opcode Fuzzy Hash: 7611f0761e1161ff5e09d0dac45e40099ecd2fc79914d0ab8e544519e20c6634
                                                                    • Instruction Fuzzy Hash: 8C3139B0D102499FDF18DFA8C44579EBBF1BB08318F248629E865B7380D774A485CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04E0C8E4 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 994 4e0c8e4-4e0c947 995 4e0c980-4e0c9ca LoadLibraryA 994->995 996 4e0c949-4e0c953 994->996 1001 4e0c9d3-4e0ca04 995->1001 1002 4e0c9cc-4e0c9d2 995->1002 996->995 997 4e0c955-4e0c957 996->997 999 4e0c959-4e0c963 997->999 1000 4e0c97a-4e0c97d 997->1000 1003 4e0c965 999->1003 1004 4e0c967-4e0c976 999->1004 1000->995 1008 4e0ca14 1001->1008 1009 4e0ca06-4e0ca0a 1001->1009 1002->1001 1003->1004 1004->1004 1006 4e0c978 1004->1006 1006->1000 1011 4e0ca15 1008->1011 1009->1008 1010 4e0ca0c 1009->1010 1010->1008 1011->1011
                                                                    APIs
                                                                    • LoadLibraryA.KERNELBASE(?), ref: 04E0C9BA
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.641551276.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4e00000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: c1a234406167c1e7c702a2773fdf19da122650c2de40209799746efbcfbf8862
                                                                    • Instruction ID: 5a75c25424276a901214d0030ebdae0a8315f993fc69ca07d7ea14e51973745a
                                                                    • Opcode Fuzzy Hash: c1a234406167c1e7c702a2773fdf19da122650c2de40209799746efbcfbf8862
                                                                    • Instruction Fuzzy Hash: 893139B1D102899FDF18CFA8C88579EBFB1BB08314F24962DE865A7380D774A485CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05B18405 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1631 5b18405-5b18622 call 5b15a60 call 5b15bf0 KiUserExceptionDispatcher 1658 5b18628-5b18677 1631->1658
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B1845C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.642330237.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5b10000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser
                                                                    • String ID:
                                                                    • API String ID: 6842923-0
                                                                    • Opcode ID: 769426e2c07f42eb75b926da8f3244bf3d8807e843cf7145b8e9181f6a4ac8ed
                                                                    • Instruction ID: a1555322d1f9d2dd27c3b26973390d34648c6a81d9d9d28893cc9304dca30e16
                                                                    • Opcode Fuzzy Hash: 769426e2c07f42eb75b926da8f3244bf3d8807e843cf7145b8e9181f6a4ac8ed
                                                                    • Instruction Fuzzy Hash: A5313535A01268CFCB65DF64D88969EB7B2FF4A305F5041DAE90AA3254CF346E81CF11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05B18441 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1661 5b18441-5b18622 call 5b15a60 call 5b15bf0 KiUserExceptionDispatcher 1685 5b18628-5b18677 1661->1685
                                                                    APIs
                                                                    • KiUserExceptionDispatcher.NTDLL ref: 05B1845C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.642330237.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_5b10000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: DispatcherExceptionUser
                                                                    • String ID:
                                                                    • API String ID: 6842923-0
                                                                    • Opcode ID: 43b7f27e50d30ccaac8dac7c55349237daa9b94c5e226b8d7911c6d5f4007e47
                                                                    • Instruction ID: 3a713a11380ff9c5b4fa505f8014e83538ac251310d4a10fdefbc239ceae3e11
                                                                    • Opcode Fuzzy Hash: 43b7f27e50d30ccaac8dac7c55349237daa9b94c5e226b8d7911c6d5f4007e47
                                                                    • Instruction Fuzzy Hash: 89312635A01268CFCB65EF64D88969EB7B2FF49305F5041DAE90AA3254DF346E81CF11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04E04F1F Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1688 4e04f1f-4e04f28 1689 4e04f2a-4e04f33 1688->1689 1690 4e04f8f-4e04fb8 call 4e04da0 call 4e04df8 1688->1690 1692 4e04f3e 1689->1692 1693 4e04f39 call 4e04838 1689->1693 1699 4e04fba-4e04fbc 1690->1699 1700 4e04fbe 1690->1700 1696 4e04f4e-4e04f66 call 4e04a88 1692->1696 1693->1692 1702 4e04fc3-4e04fcb 1699->1702 1700->1702 1703 4e05027-4e05039 1702->1703 1704 4e04fcd-4e04ffe RtlEncodePointer 1702->1704 1706 4e05000-4e05006 1704->1706 1707 4e05007-4e0501d 1704->1707 1706->1707 1707->1703
                                                                    APIs
                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 04E04FED
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.641551276.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4e00000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID:
                                                                    • API String ID: 2118026453-0
                                                                    • Opcode ID: 1b7897b491943336c331d35679e85e863c282d773dc7c34a044edf86adf4fd22
                                                                    • Instruction ID: 34ed223f29f5c8aae852becf6d9ab92a2de078a8a75d2c73fce1df518f8965ea
                                                                    • Opcode Fuzzy Hash: 1b7897b491943336c331d35679e85e863c282d773dc7c34a044edf86adf4fd22
                                                                    • Instruction Fuzzy Hash: 942159B19143458FEB50DFA8D5497ADBFF0FB04318F10941AE568A7280CB79B58A8FA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04E04CB8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 04E04D42
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.641551276.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4e00000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID:
                                                                    • API String ID: 2118026453-0
                                                                    • Opcode ID: 3fc013ed491d3fa01de5581c2a11d836ef74fc7ff23cc460c5c4b21cc837a477
                                                                    • Instruction ID: dc57f3310549038c997205e6d016dee14c27d0e01e9a028878375af0f5423788
                                                                    • Opcode Fuzzy Hash: 3fc013ed491d3fa01de5581c2a11d836ef74fc7ff23cc460c5c4b21cc837a477
                                                                    • Instruction Fuzzy Hash: 0421BBB19013858FCB10EFA9D5083AEBFF0FB44318F24846AD454B7680D7386489CF61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04E04CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 04E04D42
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.641551276.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4e00000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID:
                                                                    • API String ID: 2118026453-0
                                                                    • Opcode ID: df27a9181060a6e1f067e01a794342cf123a1539188ad29d568d4ba438ea28b6
                                                                    • Instruction ID: 28d580338a4bb345556af5c2a52b4a2a88628244c3ed8887d5929c4691b0c3ac
                                                                    • Opcode Fuzzy Hash: df27a9181060a6e1f067e01a794342cf123a1539188ad29d568d4ba438ea28b6
                                                                    • Instruction Fuzzy Hash: FB119AB19003459FDB10EFA9D5087AEBFF4FB44318F24842AD414B7684DB386485CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00B9D210 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.639426424.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_b9d000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4f1165794ebab04288ea60fa8f9e0b9b765b4aa36bd32469a718c44767939a42
                                                                    • Instruction ID: 37987cde613bb6896a14a4c86f0725b06f739e9ce21daa43fccc8e73edcd9e7f
                                                                    • Opcode Fuzzy Hash: 4f1165794ebab04288ea60fa8f9e0b9b765b4aa36bd32469a718c44767939a42
                                                                    • Instruction Fuzzy Hash: 5E2125B2504244DFDF05CF54D9C0B2ABBA5FB88324F2486B9E9054B24AC336D816DBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00B9D4D8 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.639426424.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_b9d000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f96983be84224b73ba105e0431accb1495e95c916d0a91e1cd37e8a31158ff78
                                                                    • Instruction ID: 88213b1d10be9e913ae0fbf2801c4c8a5736b0c119dbef30c2e21a75ca52ee3f
                                                                    • Opcode Fuzzy Hash: f96983be84224b73ba105e0431accb1495e95c916d0a91e1cd37e8a31158ff78
                                                                    • Instruction Fuzzy Hash: 742137B1504244DFDF00DF14D9C0B2ABFA5FBA8328F2586B9E9054B25AC336DC46DBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00B9D20B Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.639426424.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_b9d000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aaf7bc59e403cbe88e4fc6b9937ef955199801b58e18a264cccf4da15b6a6f4a
                                                                    • Instruction ID: d82724e3559ca039c6f5ae9b4357d7782818819e4254a2f17afdd2ccbc7548d8
                                                                    • Opcode Fuzzy Hash: aaf7bc59e403cbe88e4fc6b9937ef955199801b58e18a264cccf4da15b6a6f4a
                                                                    • Instruction Fuzzy Hash: 82216D76504280DFDF16CF54D9C4B16BFB1FB98324F24C6A9D8044A656C33AD85ACBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00B9D4D3 Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.639426424.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_b9d000_6R24hlXGVS56Z6Y.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
                                                                    • Instruction ID: 2972a1970744844c2d3dd2052e0aa3bf4ea4bdd7647ea14380a10769fb88858f
                                                                    • Opcode Fuzzy Hash: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
                                                                    • Instruction Fuzzy Hash: E211D376904280CFCF11CF10D5C4B16BFB1FB94324F25C6A9D8050B656C33AD85ACBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%