Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6R24hlXGVS56Z6Y.exe

Overview

General Information

Sample Name:6R24hlXGVS56Z6Y.exe
Analysis ID:635212
MD5:a9819b4b8ca61d132faa30c59482c10f
SHA1:226725a9f34ade061c288e6a6faddd944fec8868
SHA256:86a8ba97bde5b049538c73c0e8fc0484a0883422944eb5b988eec2233d004837
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Adds / modifies Windows certificates
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 6R24hlXGVS56Z6Y.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe" MD5: A9819B4B8CA61D132FAA30C59482C10F)
    • 6R24hlXGVS56Z6Y.exe (PID: 6520 cmdline: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe MD5: A9819B4B8CA61D132FAA30C59482C10F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "lewislog@samsung-tv.buzz", "Password": "7213575aceACE@#$", "Host": "samsung-tv.buzz"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.420611463.0000000003784000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30d60:$s10: logins
                • 0x307c7:$s11: credential
                • 0x2cdb5:$g1: get_Clipboard
                • 0x2cdc3:$g2: get_Keyboard
                • 0x2cdd0:$g3: get_Password
                • 0x2e0ce:$g4: get_CtrlKeyDown
                • 0x2e0de:$g5: get_ShiftKeyDown
                • 0x2e0ef:$g6: get_AltKeyDown
                4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 39 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "lewislog@samsung-tv.buzz", "Password": "7213575aceACE@#$", "Host": "samsung-tv.buzz"}
                    Multi AV Scanner detection for submitted file
                    Source: 6R24hlXGVS56Z6Y.exeVirustotal: Detection: 36%Perma Link
                    Source: 6R24hlXGVS56Z6Y.exeReversingLabs: Detection: 61%
                    Antivirus / Scanner detection for submitted sample
                    Source: 6R24hlXGVS56Z6Y.exeAvira: detected
                    Machine Learning detection for sample
                    Source: 6R24hlXGVS56Z6Y.exeJoe Sandbox ML: detected
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.2.6R24hlXGVS56Z6Y.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Joe Sandbox ViewASN Name: ITLASUA ITLASUA
                    Source: global trafficTCP traffic: 192.168.2.6:49774 -> 195.54.163.133:587
                    Source: global trafficTCP traffic: 192.168.2.6:49774 -> 195.54.163.133:587
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466720672.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465548130.0000000006BC3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643882853.0000000006BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466720672.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465548130.0000000006BC3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643882853.0000000006BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643992330.0000000006BE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cZojHh.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.642919631.0000000006788000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454797413.00000000067A5000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455786336.00000000067A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454913928.0000000006BFE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454913928.0000000006BFE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465916495.00000000067B7000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.642983870.00000000067B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643992330.0000000006BE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454786394.00000000067A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454786394.00000000067A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454538794.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455625077.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.460720359.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466089722.00000000067F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643992330.0000000006BE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.461073416.0000000006B2E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455241825.0000000006B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454538794.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455625077.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.460720359.00000000067F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454538794.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455625077.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.460720359.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466089722.00000000067F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454776252.0000000006C05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454958046.000000000678D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454958046.000000000678D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/M
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
                    Source: 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.453060607.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.453811656.0000000006803000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5aab6a943ff34
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.381171899.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.381096955.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.381231216.00000000063CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w$
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455661936.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454554430.0000000006803000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380606284.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380758503.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380677591.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380652171.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380606284.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380561800.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380758503.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380677591.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380652171.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.comh
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455176856.0000000006BCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455241825.0000000006B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455176856.0000000006BCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465916495.00000000067B7000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.642983870.00000000067B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465916495.00000000067B7000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.642983870.00000000067B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://samsung-tv.buzz
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384911065.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384824409.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387511186.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387434200.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmly
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385675011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385736791.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com$
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coma
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385675011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385736791.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comof
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385675011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385736791.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comrk
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comsk
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.461073416.0000000006B2E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455241825.0000000006B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455661936.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454554430.0000000006803000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455661936.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454554430.0000000006803000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454767047.0000000006C09000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.642919631.0000000006788000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454797413.00000000067A5000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455786336.00000000067A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454797413.00000000067A5000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455786336.00000000067A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455322515.0000000006BC8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.eme.lv/repository0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424158383.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389245349.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395139333.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389409524.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389458621.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389085024.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.417562402.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389700798.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389032106.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389282998.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389145404.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395010669.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395430812.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389756587.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.394716738.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389339625.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389282998.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389339625.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389669965.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389700798.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389756587.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389842823.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comB
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424158383.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395139333.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.417562402.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395010669.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395430812.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.394716738.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389669965.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389700798.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389756587.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389842823.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsF
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389339625.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomm
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389409524.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389458621.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389085024.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389145404.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389339625.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389245349.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389409524.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389458621.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389085024.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389032106.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389282998.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389145404.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389339625.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389573902.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdyo$
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389245349.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389409524.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389458621.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389085024.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389032106.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389282998.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389145404.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389339625.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388718051.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comk
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389700798.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389756587.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlicF
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389245349.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389085024.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388955744.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388830994.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388767394.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389032106.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389282998.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389145404.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388718051.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsief
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390359522.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390426618.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389842823.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390578615.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390486046.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsivo$
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424158383.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395139333.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.417562402.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395010669.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.395430812.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.394716738.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueta
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383604980.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384160713.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384516970.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383883042.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383883042.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384160713.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/5
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382983490.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382905321.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/Y
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383405212.00000000063BE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383502102.00000000063C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnht
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383883042.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cno
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.391097323.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.391097323.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.391191719.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/:
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.391191719.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.krY
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.krom
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454825636.0000000006C02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/$
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387557703.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387671462.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387511186.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387603719.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387434200.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386261996.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386199122.00000000063BC000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386167015.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/B
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386261996.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386199122.00000000063BC000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386167015.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/K
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/bN
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387557703.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387671462.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387511186.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387603719.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387434200.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/$
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/P
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386261996.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ue
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/va
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vno
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/wa
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455322515.0000000006BC8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455176856.0000000006BCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455176856.0000000006BCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454538794.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455625077.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.460720359.00000000067F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455176856.0000000006BCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.379424036.00000000063A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387511186.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387434200.00000000063C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382983490.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382905321.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.c
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382905321.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382675016.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krn-uK
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kron
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382675016.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krs-c
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454776252.0000000006C05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454776252.0000000006C05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454776252.0000000006C05000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384516970.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385675011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com4
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384594453.000000000190C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com7R
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384594453.000000000190C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comY
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comb
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comic
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comnt
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454776252.0000000006C05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388329849.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388329849.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de?
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388718051.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388510361.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388550067.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388767394.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388329849.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.388606181.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.dew
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385016258.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385016258.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cndnlB
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385016258.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cni
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385016258.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnof
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385016258.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnoup
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455176856.0000000006BCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466057935.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643187937.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466057935.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643187937.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640941183.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://EEMzZM29crUf0q.org
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://eca.hinet.net/repository0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454786394.00000000067A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
                    Source: unknownDNS traffic detected: queries for: samsung-tv.buzz

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.418468821.0000000001708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.7e20000.12.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.7e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.47468c0.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.47468c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.458aa98.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.2.6R24hlXGVS56Z6Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 00000000.00000002.425573285.0000000007E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bB78F8ED1u002d8526u002d4A8Cu002dB434u002d8894A4F7354Fu007d/u00367C580EDu002d9D01u002d4F86u002d938Eu002d12F487DD747F.csLarge array initialization: .cctor: array initializer size 11644
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.7e20000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.7e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.47468c0.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.47468c0.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.458aa98.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.2.6R24hlXGVS56Z6Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 00000000.00000002.425573285.0000000007E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 0_2_018F6A08
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 0_2_018F6D9E
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 0_2_018F7DF0
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 0_2_018F8102
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 4_2_04E0F080
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 4_2_04E0F3C8
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 4_2_05B1C920
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 4_2_05B1BBD0
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 4_2_05B19C09
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFAsEvtdFaXvUVXTZUnGUBPtkYtzbk.exe4 vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.418171038.0000000001052000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInternalRemotingServi.exe< vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFAsEvtdFaXvUVXTZUnGUBPtkYtzbk.exe4 vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.422039966.000000000464E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.425573285.0000000007E20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.418468821.0000000001708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424323014.0000000006570000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCerbera.dll" vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639219509.00000000006A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInternalRemotingServi.exe< vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFAsEvtdFaXvUVXTZUnGUBPtkYtzbk.exe4 vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000002.639361959.0000000000AF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exeBinary or memory string: OriginalFilenameInternalRemotingServi.exe< vs 6R24hlXGVS56Z6Y.exe
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: 6R24hlXGVS56Z6Y.exeVirustotal: Detection: 36%
                    Source: 6R24hlXGVS56Z6Y.exeReversingLabs: Detection: 61%
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe "C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe"
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess created: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess created: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6R24hlXGVS56Z6Y.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@2/2
                    Source: 6R24hlXGVS56Z6Y.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 6R24hlXGVS56Z6Y.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 0_2_00FC0546 push BD3742C6h; iretd
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeCode function: 4_2_00610546 push BD3742C6h; iretd
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.84091961833
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000000.00000002.420611463.0000000003784000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6R24hlXGVS56Z6Y.exe PID: 6360, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.420611463.0000000003784000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.420611463.0000000003784000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe TID: 6356Thread sleep time: -43731s >= -30000s
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe TID: 6028Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe TID: 2952Thread sleep time: -22136092888451448s >= -30000s
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe TID: 3396Thread sleep count: 4471 > 30
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe TID: 3396Thread sleep count: 4342 > 30
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWindow / User API: threadDelayed 4471
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWindow / User API: threadDelayed 4342
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeThread delayed: delay time: 43731
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeThread delayed: delay time: 922337203685477
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466057935.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.453201353.000000000680F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.450117128.000000000680E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466236746.0000000006B2C000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.449482579.0000000006B2B000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643689646.0000000006B2E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.453574264.0000000006B2E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.461073416.0000000006B2E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455421039.0000000006B30000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643187937.0000000006803000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: 6R24hlXGVS56Z6Y.exe, 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeMemory written: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeProcess created: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.47468c0.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.458aa98.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.6R24hlXGVS56Z6Y.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.416014888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.422039966.000000000464E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.414120802.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.416564680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.638637561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6R24hlXGVS56Z6Y.exe PID: 6360, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 6R24hlXGVS56Z6Y.exe PID: 6520, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    Source: Yara matchFile source: 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6R24hlXGVS56Z6Y.exe PID: 6520, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.4770840.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.47468c0.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.458aa98.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.6R24hlXGVS56Z6Y.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45c0eb8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6R24hlXGVS56Z6Y.exe.45f54d8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.416014888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.422039966.000000000464E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.414120802.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.416564680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.638637561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6R24hlXGVS56Z6Y.exe PID: 6360, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 6R24hlXGVS56Z6Y.exe PID: 6520, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception111
                    Process Injection                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		114
                    System Information Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Deobfuscate/Decode Files or Information                    		111
                    Input Capture                    		1
                    Query Registry                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model111
                    Input Capture                    		Scheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets131
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Modify Registry                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Remote System Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    6R24hlXGVS56Z6Y.exe37%VirustotalBrowse
                    6R24hlXGVS56Z6Y.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    6R24hlXGVS56Z6Y.exe100%AviraHEUR/AGEN.1235153
                    6R24hlXGVS56Z6Y.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    4.2.6R24hlXGVS56Z6Y.exe.600000.1.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.11.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.7.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.1.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    0.2.6R24hlXGVS56Z6Y.exe.fb0000.0.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6R24hlXGVS56Z6Y.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.5.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.2.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.13.unpack100%AviraHEUR/AGEN.1235153Download File
                    0.0.6R24hlXGVS56Z6Y.exe.fb0000.0.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.0.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.9.unpack100%AviraHEUR/AGEN.1235153Download File
                    4.2.6R24hlXGVS56Z6Y.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6R24hlXGVS56Z6Y.exe.600000.3.unpack100%AviraHEUR/AGEN.1235153Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    samsung-tv.buzz2%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.goodfont.co.krom0%URL Reputationsafe
                    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                    http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                    http://ocsp.suscerte.gob.ve00%URL Reputationsafe
                    http://www.sandoll.co.krn-uK0%Avira URL Cloudsafe
                    http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
                    http://www.chambersign.org10%URL Reputationsafe
                    http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%URL Reputationsafe
                    http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                    http://www.fontbureau.comalsF0%URL Reputationsafe
                    http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                    http://www.founder.com.cn/cnht0%URL Reputationsafe
                    http://www.suscerte.gob.ve/dpc00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                    http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/$0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    http://policy.camerfirma.com00%URL Reputationsafe
                    http://www.carterandcone.coma0%URL Reputationsafe
                    http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?0%URL Reputationsafe
                    http://cps.letsencrypt.org00%URL Reputationsafe
                    http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                    http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
                    https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
                    http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/K0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.globaltrust.info00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/B0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://ac.economia.gob.mx/last.crl0G0%URL Reputationsafe
                    http://www.carterandcone.comof0%URL Reputationsafe
                    https://EEMzZM29crUf0q.org0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/l0%URL Reputationsafe
                    http://crl.oces.trust2408.com/oces.crl00%URL Reputationsafe
                    http://www.fontbureau.comals0%URL Reputationsafe
                    http://certs.oaticerts.com/repository/OATICA2.crl0%URL Reputationsafe
                    http://certs.oati.net/repository/OATICA2.crt00%URL Reputationsafe
                    http://www.accv.es000%URL Reputationsafe
                    http://www.fontbureau.comsivo$0%Avira URL Cloudsafe
                    http://web.ncdc.gov.sa/crl/nrcaparta1.crl0%URL Reputationsafe
                    http://www.carterandcone.com$0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/ue0%URL Reputationsafe
                    http://www.acabogacia.org00%URL Reputationsafe
                    https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                    http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
                    http://www.agesic.gub.uy/acrn/acrn.crl0)0%URL Reputationsafe
                    http://www.rcsc.lt/repository00%URL Reputationsafe
                    http://www.sandoll.co.krs-c0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://certs.oaticerts.com/repository/OATICA2.crt080%URL Reputationsafe
                    http://cps.chambersign.org/cps/chambersignroot.html00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/wa0%URL Reputationsafe
                    http://www.oaticerts.com/repository.0%URL Reputationsafe
                    http://www.ancert.com/cps00%URL Reputationsafe
                    http://ocsp.accv.es00%URL Reputationsafe
                    http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl00%URL Reputationsafe
                    http://www.echoworx.com/ca/root2/cps.pdf00%URL Reputationsafe
                    http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz030%URL Reputationsafe
                    http://samsung-tv.buzz0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl00%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/va0%URL Reputationsafe
                    http://crl.defence.gov.au/pki00%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    samsung-tv.buzz
                    		195.54.163.133
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.goodfont.co.krom6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.455661936.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454554430.0000000006803000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.certplus.com/CRL/class3.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://ocsp.suscerte.gob.ve06R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.krn-uK6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.dhimyotis.com/certignarootca.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454786394.00000000067A2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.chambersign.org16R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://repository.swisssign.com/06R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz06R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.ssc.lt/root-c/cacrl.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comalsF6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389669965.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389700798.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389756587.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389842823.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://ca.disig.sk/ca/crl/ca_disig.crl06R24hlXGVS56Z6Y.exe, 00000004.00000002.642919631.0000000006788000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454797413.00000000067A5000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455786336.00000000067A5000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnht6R24hlXGVS56Z6Y.exe, 00000000.00000003.383405212.00000000063BE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.383502102.00000000063C4000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.suscerte.gob.ve/dpc06R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/86R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387557703.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387671462.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387511186.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387603719.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387434200.00000000063C3000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.disig.sk/ca/crl/ca_disig.crl06R24hlXGVS56Z6Y.exe, 00000004.00000002.642919631.0000000006788000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454797413.00000000067A5000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455786336.00000000067A5000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPlease6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/Y06R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/$6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cn6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385016258.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.como.6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385675011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385736791.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.ipify.org%6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		low
                          http://pki.registradores.org/normativa/index.htm06R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://policy.camerfirma.com06R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.anf.es/es/address-direccion.html6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.carterandcone.coma6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.anf.es/address/)1(0&6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466720672.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465548130.0000000006BC3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643882853.0000000006BC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://cps.letsencrypt.org06R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465916495.00000000067B7000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.642983870.00000000067B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.ssc.lt/root-b/cacrl.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454776252.0000000006C05000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.certicamara.com/dpc/0Z6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.pki.wellsfargo.com/wsprca.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.461073416.0000000006B2E000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455241825.0000000006B2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/P6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://wwww.certigna.fr/autorites/0m6R24hlXGVS56Z6Y.exe, 00000004.00000003.454786394.00000000067A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf06R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454825636.0000000006C02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/K6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386261996.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386199122.00000000063BC000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386167015.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.anf.es/AC/ANFServerCA.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.globaltrust.info06R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/B6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386261996.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386199122.00000000063BC000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386167015.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.coml6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://ac.economia.gob.mx/last.crl0G6R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comof6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://EEMzZM29crUf0q.org6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640941183.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt06R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/l6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386261996.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.oces.trust2408.com/oces.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://eca.hinet.net/repository06R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.comals6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://certs.oaticerts.com/repository/OATICA2.crl6R24hlXGVS56Z6Y.exe, 00000004.00000003.454913928.0000000006BFE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://certs.oati.net/repository/OATICA2.crt06R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.accv.es006R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comsivo$6R24hlXGVS56Z6Y.exe, 00000000.00000003.390359522.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389936973.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390078961.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390236620.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390426618.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390181420.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.389842823.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390014696.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390578615.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.390486046.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf06R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://web.ncdc.gov.sa/crl/nrcaparta1.crl6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.com$6R24hlXGVS56Z6Y.exe, 00000000.00000003.385570624.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385224109.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385477472.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385675011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385426375.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385342011.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385736791.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385279210.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.385162735.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.datev.de/zertifikat-policy-int06R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cn/bThe6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/ue6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.acabogacia.org06R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.firmaprofesional.com/cps06R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.ipify.org%%startupfolder%6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		low
                                                http://crl.securetrust.com/SGCA.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454538794.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455625077.00000000067F9000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.460720359.00000000067F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.agesic.gub.uy/acrn/acrn.crl0)6R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.rcsc.lt/repository06R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sandoll.co.krs-c6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382675016.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.typography.netD6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://fontfabrik.com6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380606284.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380758503.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380677591.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.380652171.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://web.certicamara.com/marco-legal0Z6R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.quovadisglobal.com/cps06R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://x1.c.lencr.org/06R24hlXGVS56Z6Y.exe, 00000004.00000003.466057935.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643187937.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://x1.i.lencr.org/06R24hlXGVS56Z6Y.exe, 00000004.00000003.466057935.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643187937.0000000006803000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi6R24hlXGVS56Z6Y.exe, 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fonts.com6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.sandoll.co.kr6R24hlXGVS56Z6Y.exe, 00000000.00000003.382834582.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382905321.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.382675016.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.urwpp.de6R24hlXGVS56Z6Y.exe, 00000000.00000003.388329849.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://certs.oaticerts.com/repository/OATICA2.crt086R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://cps.chambersign.org/cps/chambersignroot.html06R24hlXGVS56Z6Y.exe, 00000004.00000003.454658986.0000000006C0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.anf.es/AC/RC/ocsp0c6R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.jiyu-kobo.co.jp/wa6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.oaticerts.com/repository.6R24hlXGVS56Z6Y.exe, 00000004.00000003.454691889.0000000006BFF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.ancert.com/cps06R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://ocsp.accv.es06R24hlXGVS56Z6Y.exe, 00000004.00000003.454835669.0000000006BCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.466720672.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.465548130.0000000006BC3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.643882853.0000000006BC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.echoworx.com/ca/root2/cps.pdf06R24hlXGVS56Z6Y.exe, 00000004.00000003.454993017.0000000006B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://rca.e-szigno.hu/ocsp0-6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz036R24hlXGVS56Z6Y.exe, 00000004.00000003.454808555.0000000006BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://samsung-tv.buzz6R24hlXGVS56Z6Y.exe, 00000004.00000002.640954405.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000002.641105197.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://eca.hinet.net/repository/CRL2/CA.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.datev.de/zertifikat-policy-std06R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/jp/6R24hlXGVS56Z6Y.exe, 00000000.00000003.387216615.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387393990.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387083177.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387338083.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387167162.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.387307595.00000000063C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl06R24hlXGVS56Z6Y.exe, 00000004.00000003.454846865.0000000006BD8000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454934585.0000000006BE6000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454945162.0000000006BEA000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.454868163.0000000006BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlN6R24hlXGVS56Z6Y.exe, 00000000.00000002.424564318.00000000076B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cn6R24hlXGVS56Z6Y.exe, 00000000.00000003.383604980.00000000063BB000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384160713.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.384516970.00000000063BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.jiyu-kobo.co.jp/va6R24hlXGVS56Z6Y.exe, 00000000.00000003.386534111.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386490365.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386885596.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386706578.00000000063C2000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000000.00000003.386329788.00000000063C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf06R24hlXGVS56Z6Y.exe, 00000004.00000003.454610878.00000000067A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crl.defence.gov.au/pki06R24hlXGVS56Z6Y.exe, 00000004.00000003.455022172.0000000006B60000.00000004.00000800.00020000.00000000.sdmp, 6R24hlXGVS56Z6Y.exe, 00000004.00000003.455216418.0000000006BC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  195.54.163.133
                                                                  		samsung-tv.buzzUkraine
                                                                  		15626ITLASUAtrue

                                                                  Private

                                                                  IP
                                                                  192.168.2.1

                                                                  General Information

                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                  Analysis ID:635212
                                                                  Start date and time: 27/05/202217:06:052022-05-27 17:06:05 +02:00
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 10m 58s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:6R24hlXGVS56Z6Y.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:20
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@3/4@2/2
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HDC Information:
                                                                  • Successful, ratio: 2.2% (good quality ratio 1.7%)
                                                                  • Quality average: 19.5%
                                                                  • Quality standard deviation: 21.5%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 0
                                                                  • Number of non-executed functions: 0
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Adjust boot time
                                                                  • Enable AMSI

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 173.222.108.226, 173.222.108.210, 8.241.9.126, 8.241.79.254, 8.248.131.254, 8.241.9.254, 8.252.5.126
                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, arc.msn.com, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  17:07:32API Interceptor650x Sleep call for process: 6R24hlXGVS56Z6Y.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  No context

                                                                  Domains

                                                                  No context

                                                                  ASNs

                                                                  No context

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  File Type:Microsoft Cabinet archive data, 61476 bytes, 1 file
                                                                  Category:dropped
                                                                  Size (bytes):61476
                                                                  Entropy (8bit):7.995018321729444
                                                                  Encrypted:true
                                                                  SSDEEP:1536:NATLwfiuePkACih0/8uIwf5CiqGLhk1V/AFnGegJR:N7nePk5gKsoBha/0GTf
                                                                  MD5:308336E7F515478969B24C13DED11EDE
                                                                  SHA1:8FB0CF42B77DBBEF224A1E5FC38ABC2486320775
                                                                  SHA-256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
                                                                  SHA-512:61AD97228CD6C3909EF3AC5E4940199971F293BDD0D5EB7916E60469573A44B6287C0FA1E0B6C1389DF35EB6C9A7D2A61FDB318D4A886A3821EF5A9DAB3AC24F
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:MSCF....$.......,...................I........w.........Tp. .authroot.stl.H#F..4..CK..<Tk...c_.d....A.F...,.&K..*i.RJJ..J.".%.KY"{n...."{..Lu3.Ln........y...........M.:...<. v...H..~.#Ov.a0xN....)..C..t.z.,x.00.1``L......L.\..1.|..2.1.0mD...H1/......G..UT7!...r.X:....D.0.0...M....I(.-.+..v#...(.r.....z.Y`&hw..Gl+.je.e.j..{.1......9f=.&.........s.W...L.].+...).f...u.....8....}R...w.X..>.A.Yw...a.x...T8V.e...^.7.q..t^.+....f.q).B.M......64.<!W(........D!.0.t "X...l.....D0.......+...A......0.o..t93.v..O1V x}H.S)....GH.6.l...p2.(4k.....!,.L`......h:.a]?......J9.\..Ww........%......a4E...q.*...#..a..y..M..R.t..Z2!.T.Ua.k.'O..\./ d.F>.V...3...._.J....."....wI..'..z...j..Ds...qZ...[..........O<.d.K..hH@c1....[w7..z...l....h,.b.........'.w.......bO.i{.......+.-...H..."<...L.Tu}.Y.lB.]3..4..G.3..`E..NF......{o.h]}p....G..$..4....;..&.O.d....v:Ik.T..ObLq..&.j.j...B9.(..!..\.:K`.....:O..N.....C..jD:.i.......1.....eCo.c..3o.........nN.D..3.7...

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):328
                                                                  Entropy (8bit):3.1008650894945404
                                                                  Encrypted:false
                                                                  SSDEEP:6:kKbXBmN+SkQlPlEGYRMY9z+4KlDA3RUecl7PG1:PkPlE99SNxAhUecl61
                                                                  MD5:73613CA04B78246223E042C2C658801F
                                                                  SHA1:1E28BFB3D44CA59265AB73743E70E5142E62345B
                                                                  SHA-256:425A28548A28D23A991340FF23F25679B3C6CF61F817A95E20D03271DCAA317B
                                                                  SHA-512:638B2416F7D87E6AE24B3D284EE725EE0F72B23C59CBC0174BBA40602A71B798E9CEBB067A702A3B7398407CF22A046D31EDE601358D30BD1BA9B584C54CDA12
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:p...... .........N..+r..(....................................................... ........3f..o......&...........$...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.3.3.6.6.b.4.9.0.6.f.d.8.1.:.0."...

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6R24hlXGVS56Z6Y.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1308
                                                                  Entropy (8bit):5.345811588615766
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                                  MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                                  SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                                  SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                                  SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                  C:\Users\user\AppData\Roaming\pbnwtogd.e0p\Chrome\Default\Cookies

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                  Category:modified
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):0.6951152985249047
                                                                  Encrypted:false
                                                                  SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
                                                                  MD5:EA7F9615D77815B5FFF7C15179C6C560
                                                                  SHA1:3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
                                                                  SHA-256:A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
                                                                  SHA-512:9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.821023279624439
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:6R24hlXGVS56Z6Y.exe
                                                                  File size:670720
                                                                  MD5:a9819b4b8ca61d132faa30c59482c10f
                                                                  SHA1:226725a9f34ade061c288e6a6faddd944fec8868
                                                                  SHA256:86a8ba97bde5b049538c73c0e8fc0484a0883422944eb5b988eec2233d004837
                                                                  SHA512:d5f258ced031dfcb55c5b50be6d86029da4ee56a323950ac22c8d39d1f9003f76ef9183694558d2e50041326d96358b4cb3ee0fbffb1572db500a4e8dc0e858f
                                                                  SSDEEP:12288:m5lbHo6UHQKywl4DsE84eys2wSO4h0VR81ZnUv3/rWXMnM3jNbazUatGG:qbHoSY+X59O4mVRaVA6XIMz4zUmGG
                                                                  TLSH:8EE40119F771A9E6E45C03BE3071183A2F64CB33E5BEE65D68A8711328742C6055BECB
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.....................L........... ... ....@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:31b1393969391b39

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4a0cce
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x628FCA9D [Thu May 26 18:44:45 2022 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa0c740x57.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x488c.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa80000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x9ecd40x9ee00False0.89987737264data7.84091961833IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xa20000x488c0x4a00False0.663481841216data6.51566732649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xa80000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0xa21300x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294268550, next used block 4294202757
                                                                  RT_GROUP_ICON0xa63580x14data
                                                                  RT_VERSION0xa636c0x36cdata
                                                                  RT_MANIFEST0xa66d80x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright 2017
                                                                  Assembly Version1.0.0.0
                                                                  InternalNameInternalRemotingServi.exe
                                                                  FileVersion1.0.0.0
                                                                  CompanyNameMicrosoft
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameBlockGame App
                                                                  ProductVersion1.0.0.0
                                                                  FileDescriptionBlockGame App
                                                                  OriginalFilenameInternalRemotingServi.exe

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 27, 2022 17:07:49.467278957 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:49.519980907 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:49.520078897 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:50.788113117 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:50.793912888 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:50.846843004 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:50.847846031 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:50.902426004 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:50.975701094 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:51.033668041 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:51.033704996 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:51.033727884 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:51.033746958 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:51.033838987 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:51.033890009 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:51.035263062 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:51.068314075 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:51.123451948 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:51.227827072 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.210067987 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.262901068 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.263456106 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.316687107 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.317521095 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.381045103 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.382733107 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.437756062 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.438234091 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.531240940 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.532419920 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.585324049 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.586633921 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.586780071 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.587353945 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.587445021 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:07:58.639424086 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.639447927 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.639707088 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.639774084 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.642030001 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:07:58.737564087 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:01.502274036 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:01.594315052 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:01.831399918 CEST58749774195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:01.832993984 CEST49774587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:01.936984062 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:01.989752054 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:01.990533113 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:02.093596935 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.093878984 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:02.146786928 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.153640985 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:02.209285975 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.209944010 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:02.276432037 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.276474953 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.276516914 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.276531935 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.276659012 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:02.279386044 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.282840967 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:02.336025953 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:02.431888103 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.304214954 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.356868982 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.357686043 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.410973072 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.412344933 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.466396093 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.466887951 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.519746065 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.520354986 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.609772921 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.610182047 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.663034916 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.666685104 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.666870117 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.666899920 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.666997910 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.667155027 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.667238951 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.667314053 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.667390108 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:08:03.719479084 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719531059 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719542027 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719558001 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719616890 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719657898 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719672918 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719686985 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.719865084 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.723057032 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:08:03.822653055 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:09:29.357263088 CEST49780587192.168.2.6195.54.163.133
                                                                  May 27, 2022 17:09:29.449362993 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:09:29.683396101 CEST58749780195.54.163.133192.168.2.6
                                                                  May 27, 2022 17:09:29.684130907 CEST49780587192.168.2.6195.54.163.133

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 27, 2022 17:07:49.407982111 CEST6111653192.168.2.68.8.8.8
                                                                  May 27, 2022 17:07:49.438499928 CEST53611168.8.8.8192.168.2.6
                                                                  May 27, 2022 17:08:01.902328968 CEST5002953192.168.2.68.8.8.8
                                                                  May 27, 2022 17:08:01.933845043 CEST53500298.8.8.8192.168.2.6

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  May 27, 2022 17:07:49.407982111 CEST192.168.2.68.8.8.80x9836Standard query (0)samsung-tv.buzzA (IP address)IN (0x0001)
                                                                  May 27, 2022 17:08:01.902328968 CEST192.168.2.68.8.8.80x8455Standard query (0)samsung-tv.buzzA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  May 27, 2022 17:07:49.438499928 CEST8.8.8.8192.168.2.60x9836No error (0)samsung-tv.buzz195.54.163.133A (IP address)IN (0x0001)
                                                                  May 27, 2022 17:08:01.933845043 CEST8.8.8.8192.168.2.60x8455No error (0)samsung-tv.buzz195.54.163.133A (IP address)IN (0x0001)

                                                                  SMTP Packets

                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  May 27, 2022 17:07:50.788113117 CEST58749774195.54.163.133192.168.2.6220-cp5ua.hyperhost.ua ESMTP Exim 4.95 #2 Fri, 27 May 2022 18:07:50 +0300
                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                  220 and/or bulk e-mail.
                                                                  May 27, 2022 17:07:50.793912888 CEST49774587192.168.2.6195.54.163.133EHLO 358075
                                                                  May 27, 2022 17:07:50.846843004 CEST58749774195.54.163.133192.168.2.6250-cp5ua.hyperhost.ua Hello 358075 [102.129.143.42]
                                                                  250-SIZE 52428800
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPE_CONNECT
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  May 27, 2022 17:07:50.847846031 CEST49774587192.168.2.6195.54.163.133STARTTLS
                                                                  May 27, 2022 17:07:50.902426004 CEST58749774195.54.163.133192.168.2.6220 TLS go ahead
                                                                  May 27, 2022 17:08:02.093596935 CEST58749780195.54.163.133192.168.2.6220-cp5ua.hyperhost.ua ESMTP Exim 4.95 #2 Fri, 27 May 2022 18:08:01 +0300
                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                  220 and/or bulk e-mail.
                                                                  May 27, 2022 17:08:02.093878984 CEST49780587192.168.2.6195.54.163.133EHLO 358075
                                                                  May 27, 2022 17:08:02.146786928 CEST58749780195.54.163.133192.168.2.6250-cp5ua.hyperhost.ua Hello 358075 [102.129.143.42]
                                                                  250-SIZE 52428800
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPE_CONNECT
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  May 27, 2022 17:08:02.153640985 CEST49780587192.168.2.6195.54.163.133STARTTLS
                                                                  May 27, 2022 17:08:02.209285975 CEST58749780195.54.163.133192.168.2.6220 TLS go ahead

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:17:07:20
                                                                  Start date:27/05/2022
                                                                  Path:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe"
                                                                  Imagebase:0xfb0000
                                                                  File size:670720 bytes
                                                                  MD5 hash:A9819B4B8CA61D132FAA30C59482C10F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.420611463.0000000003784000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.421382198.000000000458A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.425573285.0000000007E20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.419325679.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.422039966.000000000464E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.422039966.000000000464E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:4
                                                                  Start time:17:07:39
                                                                  Start date:27/05/2022
                                                                  Path:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\6R24hlXGVS56Z6Y.exe
                                                                  Imagebase:0x600000
                                                                  File size:670720 bytes
                                                                  MD5 hash:A9819B4B8CA61D132FAA30C59482C10F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.414625419.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.416014888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.416014888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.414120802.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.414120802.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.416564680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.416564680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.638637561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.638637561.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.639930761.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Disassembly

                                                                  No disassembly