Windows Analysis Report
SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Analysis ID:	1446958
MD5:	3b384a3b2b0f5050e1a558d3142fb2bf
SHA1:	83993ad0c2e5761113949855f1c2dc26db367536
SHA256:	0566cddbc7c0c84c721964f61e7816f2adf558b1dc455a97ca40f1ed73ffc256
Tags:	exe
Infos:

Detection

Score:	28
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	51
Range:	0 - 100

Signatures

Installs new ROOT certificates

PE file has a writeable .text section

Writes many files with high entropy

Yara detected Generic Downloader

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables security privileges

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Signatures

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01004F6B InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,FindCloseChangeNotification,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,	2_2_01004F6B
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_010045EB GetFileAttributesA,LoadLibraryA,GetProcAddress,DecryptFileA,GetLastError,	2_2_010045EB
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C1717D1 __EH_prolog3,CryptQueryObject,GetLastError,CertCloseStore,CryptMsgClose,GetLastError,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,	3_2_6C1717D1
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C158094 CryptMsgGetAndVerifySigner,	3_2_6C158094
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C158083 CryptQueryObject,	3_2_6C158083
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C1580A5 CryptHashPublicKeyInfo,SetLastError,	3_2_6C1580A5
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C1580D5 CryptMsgGetParam,SetLastError,	3_2_6C1580D5
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C158114 CryptDecodeObject,SetLastError,	3_2_6C158114
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F410B6 _memset,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,CryptCATAdminCalcHashFromFileHandle,GetLastError,WinVerifyTrust,WinVerifyTrust,WinVerifyTrust,	5_2_00F410B6
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F41302 CryptHashPublicKeyInfo,_memcmp,_memcmp,GetLastError,	5_2_00F41302
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F567E2 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,ReadFile,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,GetLastError,CryptDestroyHash,CryptReleaseContext,	5_2_00F567E2
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F417D8 DecryptFileW,	5_2_00F417D8
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F417D8 DecryptFileW,	6_2_00F417D8
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F410B6 _memset,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,CryptCATAdminCalcHashFromFileHandle,GetLastError,WinVerifyTrust,WinVerifyTrust,WinVerifyTrust,	6_2_00F410B6
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F41302 CryptHashPublicKeyInfo,_memcmp,_memcmp,GetLastError,	6_2_00F41302
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F567E2 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,ReadFile,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,GetLastError,CryptDestroyHash,CryptReleaseContext,	6_2_00F567E2
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CF9EB7 DecryptFileW,	11_2_00CF9EB7
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	11_2_00D1F961
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CF9C99 DecryptFileW,DecryptFileW,	11_2_00CF9C99
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BF9EB7 DecryptFileW,	12_2_00BF9EB7
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	12_2_00C1F961
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BF9C99 DecryptFileW,DecryptFileW,	12_2_00BF9C99
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	13_2_00E0F961
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DE9C99 DecryptFileW,DecryptFileW,	13_2_00DE9C99
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DE9EB7 DecryptFileW,	13_2_00DE9EB7

Bitcoin Miner

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Packing Partner V3.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Packing Station.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Packing Partner Print.exe	Jump to behavior

Compliance

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Window detected: I &AgreeCancelPacking Partner V4 - AimCo Software Packing Partner V4 - AimCo SoftwareLicense AgreementPlease review the license terms before installing Packing Partner V4 (4.0.0.20).Press Page Down to see the rest of the agreement.Packing Partner V4 licensing AgreementAll Packing Partner software remains the property of AiMCo Software.Each subscription entitles you to install and use one copy of this software on a single computer or login name.On request subscriptions can be transferred but not shared between computers or users.A single subscriptions entitles you to use the program for one calender year any unused part is not refundable.There is a full and unconditional refund if you cannot use the program or we are unable to resolve any fault with it.Aimco Software shall not be liable for any losses resulting from the use of Packing Partner or any of it's software.In the event of a successful claim against Aimco Software our liability shall not exceed 25.By installing this software you agree to our General Data Protection Policy available on our support forumCopyright AiMCo software 2018-2023If you accept the terms of the agreement click I Agree to continue. You must accept the agreement to install Packing Partner V4 (4.0.0.20).

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Jump to behavior

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240523_234123140-MSI_vc_red.msi.txt

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1049\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1028\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1029\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1031\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1036\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1040\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1041\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1042\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1045\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1046\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1049\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1055\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\2052\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\3082\license.rtf
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\LICENSE.txt
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\README.txt

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Static PE information: certificate valid

Source: C:\Windows\System32\msiexec.exe

File opened: c:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vcredist_2019_x86.exe, 0000000B.00000000.2360173155.0000000000D2B000.00000002.00000001.01000000.00000016.sdmp, vcredist_2019_x86.exe, 0000000B.00000002.2694086254.0000000000D2B000.00000002.00000001.01000000.00000016.sdmp, vcredist_2019_x86.exe, 0000000C.00000002.2687800977.0000000000C2B000.00000002.00000001.01000000.00000017.sdmp, vcredist_2019_x86.exe, 0000000C.00000000.2375551745.0000000000C2B000.00000002.00000001.01000000.00000017.sdmp, VC_redist.x86.exe, 0000000D.00000003.2615914520.0000000000C9F000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x86.exe, 0000000D.00000000.2388022890.0000000000E1B000.00000002.00000001.01000000.00000019.sdmp, VC_redist.x86.exe, 0000000D.00000002.2681889263.0000000000E1B000.00000002.00000001.01000000.00000019.sdmp, VC_redist.x86.exe, 0000001C.00000000.2730362455.000000000021B000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: sfxcab.pdb source: vcredist_2010_x86.exe, vcredist_2010_x86.exe, 00000002.00000000.2167645378.0000000001002000.00000020.00000001.01000000.0000000B.sdmp, vcredist_2010_x86.exe, 00000002.00000002.2362560317.0000000001002000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\wixstdba.pdb source: vcredist_2012_x86.exe, 00000005.00000003.2228737514.00000000015F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sqmapi.pdb source: Setup.exe, Setup.exe, 00000003.00000002.2335828733.000000006C731000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: SetupEngine.pdb source: Setup.exe, Setup.exe, 00000003.00000002.2323919965.000000006C111000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: P:\Public\Apps\_.NET Projects\AiMCo Packing Partner\Backup\obj\x86\Release\Packing Partner Backup.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\DevWin10\Projects\_.NET Projects\Aimco DOMView\V112\PDFImage\obj\Release\PDFImage.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\wixstdba.pdb\ source: vcredist_2012_x86.exe, 00000005.00000003.2228737514.00000000015F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbtermediate.txt source: SrTasks.exe, 0000000E.00000003.2717348435.000001BC7368C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\x86\burn.pdb source: vcredist_2012_x86.exe, vcredist_2012_x86.exe, 00000006.00000000.2229175317.0000000000F21000.00000020.00000001.01000000.00000011.sdmp, vcredist_2012_x86.exe, 00000006.00000002.2446605237.0000000000F21000.00000020.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\DevWin10\Projects\_.NET Projects\AiMCo Packing Partner\Packing Partner V4.0\ExtPrint\obj\Release\Packing Partner Print.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\DevWin10\Projects\_.NET Projects\AiMCo Packing Partner\Packing Partner V4.0\Extension\obj\x86\Release\Extensions.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787110956.00000000026E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBxml4 source: SrTasks.exe, 0000000E.00000003.2717348435.000001BC7368C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Setup.pdb source: Setup.exe, Setup.exe, 00000003.00000002.2279976924.0000000000A01000.00000020.00000001.01000000.0000000C.sdmp, Setup.exe, 00000003.00000000.2191004929.0000000000A01000.00000020.00000001.01000000.0000000C.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405302
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_00405CD8 FindFirstFileA,FindClose,	0_2_00405CD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_010046B9 SendDlgItemMessageA,strstr,SetFileAttributesA,GetLastError,CopyFileA,SendDlgItemMessageA,strstr,SetFileAttributesA,CopyFileA,GetLastError,CopyFileA,SetFileAttributesA,SendDlgItemMessageA,_strlwr,GetLastError,MoveFileA,MoveFileA,_strlwr,strstr,FindFirstFileA,strrchr,SendDlgItemMessageA,DeleteFileA,Sleep,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,strchr,strrchr,SendDlgItemMessageA,	2_2_010046B9
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C145B82 __EH_prolog3_GS,_memset,FindFirstFileW,FindNextFileW,FindClose,	3_2_6C145B82
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C14410A FindFirstFileW,GetFullPathNameW,SetLastError,_wcsrchr,_wcsrchr,	3_2_6C14410A
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C748097 memset,memset,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,	3_2_6C748097
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C734281 memset,EnterCriticalSection,FindFirstFileW,LeaveCriticalSection,ctype,FindNextFileW,FindClose,ResetEvent,CreateThread,CloseHandle,GetLastError,	3_2_6C734281
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F55B68 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	5_2_00F55B68
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F54E54 _memset,FindFirstFileW,FindClose,	5_2_00F54E54
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F42146 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	5_2_00F42146
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F42146 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	6_2_00F42146
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F55B68 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	6_2_00F55B68
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F54E54 _memset,FindFirstFileW,FindClose,	6_2_00F54E54
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CE3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	11_2_00CE3BC3
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D24315 FindFirstFileW,FindClose,	11_2_00D24315
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CF993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	11_2_00CF993E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D17A87 FindFirstFileExW,	11_2_00D17A87
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C24315 FindFirstFileW,FindClose,	12_2_00C24315
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BF993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	12_2_00BF993E
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BE3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	12_2_00BE3BC3
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C17A87 FindFirstFileExW,	12_2_00C17A87
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E14315 FindFirstFileW,FindClose,	13_2_00E14315
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DE993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	13_2_00DE993E
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DD3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	13_2_00DD3BC3
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E07A87 FindFirstFileExW,	13_2_00E07A87

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\INetC.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\	Jump to behavior

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 4x nop then mov edx, dword ptr [esp+08h]

3_2_6C74DDDB

Networking

Yara detected Generic Downloader

Source: Yara match	File source: C:\Program Files (x86)\Packing Partner V4\CEF\DOMView.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Packing Partner V4\DOMView.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Packing Partner V4\Packing Partner V3.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Packing Partner V4\Packing Station.exe, type: DROPPED

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C184B54 URLDownloadToFileW,

3_2_6C184B54

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: InitializehttpClearSpideredUrlsClearFailedUrlshttp://us.ard.yahoo.com/http://us.rd.yahoo.com//*/redir.php?url=FetchRobotsTextReturning cached-in-memory robots.txt/robots.txtrobotsUrlFetched robots.txtNo robots.txt founduser-agent:disallow:collectHyperlinks<a href_urlExcluded by avoid pattern.Skipping FTP links.Skipping because of AvoidHttps property.finalUrlAdding URL to hashmap.URL already in hashmap._crawlNo unspidered URLs remaining.RecrawlLastNo URL to re-crawlCrawlNextAddUnspideredmailto:javascriptoverturedoubleclickatwola.com.zip.exe.jpg.gif.jar.msi.doc.pdf.cab.psd.epsprocessUrlsbAddNewUnspidered------------------Skipping this URL..Failed to get the full URL.fullUrlExcluded by must-match pattern.Already visited. Skipping...This is an 'outside' URL.Adding to outside URLs list.Excluded by avoid-out patternExcluded by robots.txt//www.URL already visited (1)http://www.URL already visited (2)urlToAddAdding to unspidered list.processPageChannel is no longer open.Channel not found equals www.yahoo.com (Yahoo)

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ENDPOINT/ENDPOINTcontentTypehashFilefileMd5fileSha256s3__uploadDataPUT/OBJECThttp://BUCKET.OB
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/datacontracts/ShippingServiceq
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/datacontracts/orders9
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/AddUpsellRelationshipT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/AssignLabelListToInventoryItemListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/DeleteInventoryItemT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/DeleteUpsellRelationshipT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/DoesSkuExistListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/DoesSkuExistT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/G
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetAuthorizationListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetClassificationConfigurationInformationT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetDistributionCenterListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetFilteredInventoryItemListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetFilteredSkuListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemAttributeListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemImageListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemListWithFullDetailT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemQuantityInfoT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemShippingInfoT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemStoreInfoT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemVariationInfoT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryQuantityListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryQuantityT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetOrderListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetOrderRefundHistoryT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetOrderShipmentHistoryListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetShippingCarrierListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetShippingRateListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetUpsellRelationshipT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/OrderMergeT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/OrderSplitT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/PingT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/RemoveLabelListFromInventoryItemListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/RequestAccessT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SetOrdersExportStatusT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SetSellerOrderIDT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SetSellerOrderItemIDListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SubmitOrderRefundT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SubmitOrderShipmentListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SubmitOrderT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SynchInventoryItemListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SynchInventoryItemT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/UpdateInventoryItemQuantityAndPriceListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/UpdateInventoryItemQuantityAndPriceT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/UpdateOrderListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.labelary.com/v1/printers/8dpmm/labels/4x6/0/#WorldOptionsAPI_1ghttps://xmlapi.vtp.netdesp
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/AddTranslationArrayResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/AddTranslationArrayT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/AddTranslationResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/AddTranslationT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/BreakSentencesResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/BreakSentencesT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/DetectArrayResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/DetectArrayT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/DetectResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/DetectT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetAppIdTokenResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetAppIdTokenT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetLanguageNamesResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetLanguageNamesT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetLanguagesForSpeakResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetLanguagesForSpeakT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetLanguagesForTranslateResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetLanguagesForTranslateT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetTranslationsArrayResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetTranslationsArrayT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetTranslationsResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetTranslationsT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/SpeakResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/SpeakT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/TranslateArray2ResponseD
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/TranslateArray2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/TranslateArrayResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/TranslateArrayT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/TranslateResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/TranslateT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/soap.svc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.parcelhub.net/schemas/api/parcelhub-api-v0.4.xsd
Source: vcredist_2019_x86.exe, VC_redist.x86.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: vcredist_2019_x86.exe, 0000000B.00000000.2360173155.0000000000D2B000.00000002.00000001.01000000.00000016.sdmp, vcredist_2019_x86.exe, 0000000B.00000002.2694086254.0000000000D2B000.00000002.00000001.01000000.00000016.sdmp, vcredist_2019_x86.exe, 0000000C.00000002.2687800977.0000000000C2B000.00000002.00000001.01000000.00000017.sdmp, vcredist_2019_x86.exe, 0000000C.00000000.2375551745.0000000000C2B000.00000002.00000001.01000000.00000017.sdmp, VC_redist.x86.exe, 0000000D.00000003.2615914520.0000000000C9F000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x86.exe, 0000000D.00000000.2388022890.0000000000E1B000.00000002.00000001.01000000.00000019.sdmp, VC_redist.x86.exe, 0000000D.00000002.2681889263.0000000000E1B000.00000002.00000001.01000000.00000019.sdmp, VC_redist.x86.exe, 0000001C.00000000.2730362455.000000000021B000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://centiro.com/facade/shared/1/0/datacontract
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://centiro.com/facade/shared/1/0/servicecontract
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://centiro.com/facade/shared/1/0/servicecontract/ISharedOperations/Authenticate)AuthenticationTi
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://centiro.com/facade/tmsBasic/1/0/servicecontract
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://centiro.com/facade/tmsBasic/1/0/servicecontract/ITMSBasic/AddAndPrintShipment-Content-Type:
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cknotes.com/determining-ftp2-connection-settings/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cknotes.com/pop3-error-no-x-uidl-header-found/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cknotes.com/pop3-error-no-x-uidl-header-found/message-idMessage-IDuidlmsgNumFailed
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cknotes.com/ssh-sftp-error-must-first-connect-to-the-ssh-server/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cknotes.com/v9-5-0-55-micro-update-new-features-fixes-changes-etc-2/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2338890477.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.2288624755.000000000144D000.00000004.00000020.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000005.00000003.2442836997.0000000001627000.00000004.00000020.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000005.00000002.2447571982.0000000001627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2338890477.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.2288624755.000000000144D000.00000004.00000020.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000005.00000003.2442836997.0000000001627000.00000004.00000020.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000005.00000002.2447571982.0000000001627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dispatch.lowcostparcels.co.uk/tracking/ByTrackID.aspx?trackID=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.aimcosoftware.co.uk/V4.txt
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedex.com/ws/ship/v28-ProcessShipmentRequest/WebAuthenticationDetail
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://feedback.ebay.co.uk/ws/eBayISAPI.dll?LeaveFeedback2&lookup_id=
Source: Setup.exe, 00000003.00000003.2203149531.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000003.2206353690.00000000030D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://justshoutgfs.com/Client/Ship/v5/1RequestedDeleteShipments
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3887280501.0000000000409000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000000.2033496001.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3887280501.0000000000409000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000000.2033496001.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2338890477.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.2288624755.000000000144D000.00000004.00000020.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000005.00000003.2442836997.0000000001627000.00000004.00000020.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000005.00000002.2447571982.0000000001627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0%
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0&
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v1_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v2_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v2_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v2_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v2_3.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v2_4.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RB.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RB_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RB_v2_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RB_v2_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RB_v2_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RB_v2_3.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RC.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RC_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RC_v2_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RC_v2_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RC_v2_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RC_v2_3.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RT.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RT_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RT_v2_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RT_v2_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RT_v2_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RT_v2_3.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RV.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RV_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RV_v2_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RV_v2_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RV_v2_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RV_v2_3.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RA_v1_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RA_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RA_v1_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RB_v1_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RB_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RC_v1_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RC_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RC_v1_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RT_v1_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RT_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Centiro.Facade.Common.Operations.Authenticate
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Centiro.Facade.TMSBasic.Contract.c1.i1.TMSBasic.BaseTypes.DT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.MT.Web.Service.V2f
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.MT.Web.Service.V2g
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.MT.Web.Service.V2l
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.MT.Web.Service.V2r
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.MT.Web.Service.V2s
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Practices.EnterpriseLibrary.Validation.Integration
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequests
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequestsZ
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequestsd
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequestse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequestsi
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequestsk
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequestsl
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebResponses
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.AddlShipmentDetails
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.AddlShipmentDetailsj
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypes_
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypesa
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypesg
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypesh
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypesl
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypesp
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypess
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypesw
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.ShippingLabelf
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsGlobalTypesb
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsGlobalTypesd
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsGlobalTypesp
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsGlobalTypesw
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsShippingDetails
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsShippingDetails)
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsShippingDetailse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Modelv
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices_
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServicesc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServicesp
Source: Setup.exe, 00000003.00000003.2202472104.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsofqd
Source: vcredist_2019_x86.exe, 0000000C.00000003.2384753817.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.cR
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://service.worldoptions.co.uk/ShipmentService.svc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spamarrest.com/a
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IShipmentService/DoShipmentResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IShipmentService/DoShipmentT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IShipmentService/DoShipmentValidationFaultFaultT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uri.etsi.org/01903/v1.2.2#DER
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uri.etsi.org/01903/v1.3.2#
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://us.ard.yahoo.com/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://us.ard.yahoo.com/http://us.rd.yahoo.com//
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://us.rd.yahoo.com/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wix.to/MnQzOyf)Navigating
Source: vcredist_2012_x86.exe, 00000006.00000003.2440096752.0000000003204000.00000004.00000800.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000006.00000003.2440870341.0000000003205000.00000004.00000800.00020000.00000000.sdmp, vcredist_2019_x86.exe, 0000000C.00000002.2689338596.0000000003040000.00000004.00000800.00020000.00000000.sdmp, vcredist_2019_x86.exe, 0000000C.00000002.2688374844.00000000028B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: vcredist_2019_x86.exe, 0000000C.00000002.2689338596.0000000003040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010(
Source: vcredist_2012_x86.exe, 00000006.00000003.2440096752.0000000003204000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010Hd
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContracts
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsC
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsI
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsV
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsX
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsY
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsZ
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContracts_
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsb
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsf
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsi
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsj
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsk
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsl
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsn
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractso
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsp
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsq
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractss
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractst
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsu
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsv
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsw
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsy
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMAuthenticationService/AuthenticateByTo
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMAuthenticationService/LoginResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMAuthenticationService/LogoutResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMCollectionService/BookCollectionRespon
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/AddDomesticConsignm
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/AddInternationalCon
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/AddReturnToSenderRe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/AddSendToThirdParty
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/CancelConsignmentRe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/CancelReturnRespons
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/CreateConsignmentV2
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/CreateConsignmentV3
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/GetLabelV2Response
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContractsT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMAuthenticationService/AuthenticateByTokenT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMAuthenticationService/LoginT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMAuthenticationService/LogoutT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMCollectionService/BookCollectionT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddDomesticConsignmentDeferredT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddDomesticConsignmentDeferredV2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddDomesticConsignmentT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddDomesticConsignmentV2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddInternationalConsignmentT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddInternationalConsignmentV2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddInternationalConsignmentV3T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddReturnToSenderT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddSendToThirdPartyT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/CancelConsignmentT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/CancelReturnT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/CreateConsignmentV2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/CreateConsignmentV3T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/GetLabelV2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aimcosoftware.co.uk
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aimcosoftware.co.uk/support.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aimcosoftware.co.ukPublisherAimco
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anything.com
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chilkatforum.com/questions/11627/sftp-failed-to-get-address-info
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chilkatsoft.com/p/p_463.asp)
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=210
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=217
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=282
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=282Closing
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=370
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=370POP3
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=411
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=91
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dhl.com
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dpd.co.uk/apps/tracking/?reference=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dpd.co.uk/tracking/trackingSearch.do?search.searchType=0&search.parcelNumber=5http://www.
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecb.europa.eu/stats/eurofxref/eurofxref-daily.xml
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.co.uk/search?q=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.interlinkexpress.com/tracking/trackingSearch.do?search.searchType=1&search.consignmentNum
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mailpass.com/verify.cgi
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mailpass.com/verify.cgihttp://spamarrest.com/aThis
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.myhermes.co.uk/tracking-results.html?trackingNumber=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.parcelforce.net/ws/ship/v14
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tnt.com/express/en_gb/site/home/applications/application_panel-trackinguk-input.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xci/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xdc/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-connection-set/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-data/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-data/1.0/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-form/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-locale-set/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-source-set/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-template/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.packingpartner.uk
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.packingpartner.uk/acc/mt/api.php
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/tokenMissing
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://admin.myshopwired.uk/business/manage-profile-about
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/DOMView/Versions/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/V4/info/pricing.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/content/index.php
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/forum/content.php
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/forum/preview.php
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/install
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/pay4/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/support.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/v35Help/_chm/Guides/dashboardpro.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/v40Script/index.htmlmhttps://aimcosoftware.co.uk/v40Help/Script_Editor.h
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apc-training.hypaship.com/api/3.0/Orders.json
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apc-training.hypaship.com/api/3.0/Orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apc.hypaship.com/api/3.0/Orders.json
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apc.hypaship.com/api/3.0/Orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.amazon.com/auth/o2/token
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/V7/FulfillmentService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/v5/AdminService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/v5/ShippingService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/v7/AdminService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/v7/InventoryService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/v7/OrderService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/v7/ShippingService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.create.net/orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.create.net/orders/-1
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.create.net/products/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.dpd.co.uk/shipping/shipmentghttps://api.dpd.co.uk/shipping/shipment/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.dpd.co.uk/user/?action=login
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.dpdlocal.co.uk/shipping/shipmentqhttps://api.dpdlocal.co.uk/shipping/shipment/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.dpdlocal.co.uk/user/?action=login
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ebay.com/wsapi?callname=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ecommerceapi.uk/v1/order-statuses
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ecommerceapi.uk/v1/orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ecommerceapi.uk/v1/products/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myhermes.co.uk/api/parcels?uhttps://api.myhermes.co.uk/api/labels/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.onbuy.com/v2/auth/request-token
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.onbuy.com/v2/orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.onbuy.com/v2/orders/dispatch%InvalidOrderStatus
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.parcel.royalmail.com/api/v1/orders
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.parcel.royalmail.com/api/v1/orders/ref;
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.parcelhub.net/1.0/Shipment/ShipmentsUsingServicePreference?ServicePreferenceListId=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.parcelhub.net/1.0/TokenV2
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.scurri.co.uk/v1/company/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.test.parcelhub.net/1.0/=https://api.parcelhub.net/1.0/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ukmail.com/Services/UKMAuthenticationServices/UKMAuthenticationService.svc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ukmail.com/Services/UKMCollectionServices/UKMCollectionService.svc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ukmail.com/Services/UKMConsignmentServices/UKMConsignmentService.svc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.wayfair.com//Cache-Control:
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.wayfair.com/v1/graphqlQhttps://sso.auth.wayfair.com/oauth/tokenUhttps://sandbox.api.wayf
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.wearecaribou.com/create
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://app.create.net
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boostparcels.co.uk/V2/publicAPI/run.php
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cknotes.com/failed-to-read-beginning-of-ssl-tls-record-can-be-caused-by-external-firewall/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cknotes.com/ssh-sftp-public-key-authentication-fails-w-dsa-key-and-openssh-server/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud.centiro.com/Universe.Services/TMSBasic/Wcf/c1/i1/TMSBasic/Authenticate.svc/xml
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud.centiro.com/Universe.Services/TMSBasic/Wcf/c1/i1/TMSBasic/TMSBasic.svc/xml
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://despatch-api.dxdelivery.com/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dgapi.app/API/?testMode=1-https://dgapi.app/API/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/1
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3894828971.0000000003267000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.00000000006A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/CEF1120.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/CEF1120.exe=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/CEF1120.exeC
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/CEF1120.exeInstalling
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.00000000006A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/CEF1120.exeZ
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/CEF1120.exei
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exe/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exeC
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exeInstalling
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exeQ
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exeleU
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exep
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/vcredist_2010_x86.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/vcredist_2010_x86.exe/NOCANCELget
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/vcredist_2010_x86.exe~
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/vcredist_2012_x86.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/vcredist_2019_x86.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://expresslink-test.parcelforce.net/ws/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://expresslink.parcelforce.net/ws/)PrintDocumentRequest
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.ekmcdn.com/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.co.uk
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.co.uk/search?q=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.co.ukChttps://google.co.uk/search?q=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icontrol.gls-ireland.com/adeplus/pm1/ade_webapi2.php?wsdl
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icontrol.gls-ireland.com/adeplus/pm1/ade_webapi2.php?wsdl#adeLogin
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icontrol.gls-ireland.com/adeplus/pm1/ade_webapi2.php?wsdl#adePreparingBox_GetConsign
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icontrol.gls-ireland.com/adeplus/pm1/ade_webapi2.php?wsdl#adePreparingBox_GetConsignLabels
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icontrol.gls-ireland.com/adeplus/pm1/ade_webapi2.php?wsdl#adePreparingBox_InsertExt
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipapi.co/region
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://label.svc.stg2.huxloe360.com/api/v1.0/order/_https://label.svc.huxloe360.com/api/v1.0/order/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://labels.aimcosoftware.co.uk/hermes.php-deliveryRoutingRequest
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/GetUserRealm.srf
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/GetUserRealm.srfExpected
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/extSTS.srf
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marketplace.walmartapis.com
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marketplace.walmartapis.com;grant_type=client_credentials
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mtapi.net/;https://mtapi.net/?testMode=1
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myshop.com/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onlinetools.ups.com/ship/v1/shipments
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packingpartner.uk/remote?https://packingpartner.uk/forum
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packingpartner.uk/v40Help/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://partners.wayfair.com/user/_js-username-input
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://production-aimco.onrender.com/CreateShipment
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox-enterprise.justshoutgfs.com/ClientServer_4861/ClientShipService.asmx?op=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0C
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seller.walmart.com/order-management/details?orderGroups=unShipped&poNumber=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sellercentral-europe.amazon.com/apps/authorize/consent?application_id=amzn1.sellerapps.app.b
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sellercentral.amazon.com/apps/authorize/consent?application_id=amzn1.sellerapps.app.b2856715
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sellingpartnerapi-eu.amazon.com
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://services.dhlparcel.co.uk/gateway/DomesticConsignment/2.0/DomesticConsignment
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://services.dhlparcel.co.uk/gateway/SSOAuthenticationAPI/1.0/ssoAuth/users/authenticate
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://services.dhlparcel.co.uk/v1/collection/collectionrequests
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ship.amazon.co.uk/settings/details/integrations/authorize/consent?application_id=amzn1.selle
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://staging-aimco.onrender.com/CreateShipment
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://suggestqueries.google.com/complete/search?client=chrome&hl=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/accounts/answer/6010255
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/mail/?p=BadCredentials
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t1.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&fallback_opts=TYPE
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://track.amazon.co.uk/tracking/Mhttps://tracking.asendia.com/tracking/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uat-raven-api.dxdelivery.com/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uat.centiro.com/Universe.Services/TMSBasic/Wcf/c1/i1/TMSBasic/Authenticate.svc/xml
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uat.centiro.com/Universe.Services/TMSBasic/Wcf/c1/i1/TMSBasic/TMSBasic.svc/xml
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ws.fedex.com:443/web-services
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ws.fedex.com:443/web-services/ship
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wsbeta.fedex.com:443/web-services
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chartjs.org
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chilkatsoft.com/oauth2_allowed.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chilkatsoft.com/oauth2_denied.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chilkatsoft.com/readme.asp
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chilkatsoft.com/refdoc/csPdfRef.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chilkatsoft.com/refdoc/csPdfRef.htmlCertificate
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dhl.com/global-en/home/tracking.html?submit=1&tracking-id=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.etsy.com/api/v3/ajax/bespoke/shop/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fedexuk.net/accounts/QuickTrack.aspx?consignment=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fruugo.co.uk/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fruugo.com/orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fruugo.com/orders/confirm5retailer.fruugo.com/secure
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fruugo.com/orders/download?from=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fruugo.com/orders/ship
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/s2/favicons?domain_url=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/s2/favicons?sz=24&domain=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/tokenMissing
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.myhermes.co.uk/customer/authorize?response_type=code&client_id=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.parcel2go.com/auth/connect/tokenIhttps://www.parcel2go.com/api/ordersIhttps://www.parcel
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.parcelforce.com/portal/pw/track?trackNumber=khttp://www.royalmail.com/portal/rm/track?tr
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.trade-tariff.service.gov.uk/trade-tariff/sections
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ukmail.com/applications/ConsignmentStatus/ConsignmentSearchResults.aspx?SearchType=Consi
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wix.com/installer/install
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wixapis.com/oauth/access
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wixapis.com/stores/v2/orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwcie.ups.com/ship/v1/shipments
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmlpi-ea.dhl.com/XMLShippingServlet
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmlpitest-ea.dhl.com/XMLShippingServlet

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Code function: 0_2_00404EB9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404EB9

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcredist_2010_x86[1].exe entropy: 7.99881338707	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe entropy: 7.99881338707	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Lib4000[1].exe entropy: 7.99994585553	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe entropy: 7.99994585553	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Font\arialn.z entropy: 7.9953119467	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Font\arialnb.z entropy: 7.99509933791	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\CEF1120[1].exe entropy: 7.9999957754	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe entropy: 7.9999957754	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcredist_2019_x86[1].exe entropy: 7.99525000453	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe entropy: 7.99525000453	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\vc_red.cab entropy: 7.9997557845	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\cab54A5CABBE7274D8A22EB58060AAB7623 entropy: 7.99842059934	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\cabB3E1576D1FEFBB979E13B1A5379E0B16 entropy: 7.99884941318	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\cab54A5CABBE7274D8A22EB58060AAB7623 entropy: 7.99780544364	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\cabB3E1576D1FEFBB979E13B1A5379E0B16 entropy: 7.99788127212	Jump to dropped file
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\.unverified\cab54A5CABBE7274D8A22EB58060AAB7623 (copy) entropy: 7.99780544364	Jump to dropped file
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{46E11E7F-01E1-44D0-BB86-C67342D253DD}v14.32.31326\packages\vcRuntimeMinimum_x86\cab1.cab (copy) entropy: 7.99780544364	Jump to dropped file
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\.unverified\cabB3E1576D1FEFBB979E13B1A5379E0B16 (copy) entropy: 7.99788127212	Jump to dropped file
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{A250E750-DB3F-40C1-8460-8EF77C7582DA}v14.32.31326\packages\vcRuntimeAdditional_x86\cab1.cab (copy) entropy: 7.99788127212	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\resources.pak entropy: 7.99658451984	Jump to dropped file

System Summary

PE file has a writeable .text section

Source: FindProcDLL.dll.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01003972 OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary,	2_2_01003972
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_0100358B NtOpenProcessToken,NtAdjustPrivilegesToken,NtClose,NtClose,	2_2_0100358B
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_010034F4 NtOpenProcessToken,NtAdjustPrivilegesToken,NtClose,NtClose,	2_2_010034F4

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe

Code function: 2_2_01002B13: GetDriveTypeA,CreateFileA,DeviceIoControl,CloseHandle,

2_2_01002B13

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,	0_2_004030CB
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01003972 OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary,	2_2_01003972
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C164E0D ExitWindowsEx,	3_2_6C164E0D

Creates files inside the system directory

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\3 of 9 Narrow ASCII.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\3 of 9 Narrow.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\3 of 9 Wide ASCII.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\3 of 9 Wide.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\Consolas.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\Segoe UI Bold Italic.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\Segoe UI Bold.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\Segoe UI Italic.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\Segoe UI.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\SourceCodePro.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\6c3c9e.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{196BB40D-1578-3D01-B289-BEFC77A11A1E}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4103.tmp
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\atl100.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100chs.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100cht.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100deu.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100enu.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100esn.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100fra.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100ita.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100jpn.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100kor.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100rus.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100u.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfcm100.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfcm100u.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\vcomp100.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\6c3ca1.msi
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\6c3ca1.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80db.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI831D.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcr110.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vccorlib110.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80de.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80de.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80df.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI886D.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp110.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp110.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80e2.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80e2.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80e3.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{46E11E7F-01E1-44D0-BB86-C67342D253DD}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID43C.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\concrt140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_1.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_2.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_atomic_wait.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_codecvt_ids.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vccorlib140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vcruntime140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80e7.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80e7.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80e8.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{A250E750-DB3F-40C1-8460-8EF77C7582DA}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDE7E.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80ef.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80ef.msi

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\6c3ca1.msi

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_004046CA	0_2_004046CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_00405FA8	0_2_00405FA8
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01008906	2_2_01008906
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_0100911E	2_2_0100911E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01009558	2_2_01009558
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01008286	2_2_01008286
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_0100859D	2_2_0100859D
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01008CC5	2_2_01008CC5
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C17E49E	3_2_6C17E49E
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C199F12	3_2_6C199F12
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C19A9BE	3_2_6C19A9BE
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C19A468	3_2_6C19A468
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C19C65E	3_2_6C19C65E
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C13F790	3_2_6C13F790
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C19C00B	3_2_6C19C00B
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C19B09F	3_2_6C19B09F
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C74D064	3_2_6C74D064
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C74D81C	3_2_6C74D81C
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C739A50	3_2_6C739A50
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F2A2FD	5_2_00F2A2FD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F29AD1	5_2_00F29AD1
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F29228	5_2_00F29228
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F296FD	5_2_00F296FD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F27ED2	5_2_00F27ED2
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F29EDD	5_2_00F29EDD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F2A2FD	6_2_00F2A2FD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F29AD1	6_2_00F29AD1
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F29228	6_2_00F29228
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F296FD	6_2_00F296FD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F27ED2	6_2_00F27ED2
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F29EDD	6_2_00F29EDD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0C0FA	11_2_00D0C0FA
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CE6184	11_2_00CE6184
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1022D	11_2_00D1022D
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1A3B0	11_2_00D1A3B0
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D10662	11_2_00D10662
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CEA7EF	11_2_00CEA7EF
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1A85E	11_2_00D1A85E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CF69CC	11_2_00CF69CC
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0F919	11_2_00D0F919
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D10A97	11_2_00D10A97
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D12B21	11_2_00D12B21
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D12D50	11_2_00D12D50
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1ED4C	11_2_00D1ED4C
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0FE15	11_2_00D0FE15
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BF69CC	12_2_00BF69CC
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0C0FA	12_2_00C0C0FA
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BE6184	12_2_00BE6184
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1022D	12_2_00C1022D
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1A3B0	12_2_00C1A3B0
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C10662	12_2_00C10662
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BEA7EF	12_2_00BEA7EF
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1A85E	12_2_00C1A85E
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0F919	12_2_00C0F919
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C10A97	12_2_00C10A97
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C12B21	12_2_00C12B21
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1ED4C	12_2_00C1ED4C
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C12D50	12_2_00C12D50
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0FE15	12_2_00C0FE15
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFC0FA	13_2_00DFC0FA
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DD6184	13_2_00DD6184
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0022D	13_2_00E0022D
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0A3B0	13_2_00E0A3B0
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E00662	13_2_00E00662
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DDA7EF	13_2_00DDA7EF
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0A85E	13_2_00E0A85E
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DE69CC	13_2_00DE69CC
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFF919	13_2_00DFF919
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E00A97	13_2_00E00A97
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E02B21	13_2_00E02B21
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0ED4C	13_2_00E0ED4C
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E02D50	13_2_00E02D50
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFFE15	13_2_00DFFE15

Enables security privileges

Source: C:\Windows\System32\SrTasks.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: String function: 00D2061A appears 34 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: String function: 00CE37D3 appears 496 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: String function: 00D231C7 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: String function: 00CE1F20 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: String function: 00D2012F appears 678 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F25D7E appears 40 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F517FA appears 1176 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F52FB6 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F54880 appears 142 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F5180E appears 878 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F25A10 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F5144A appears 70 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F54954 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F502DC appears 104 times
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: String function: 00BE1F20 appears 54 times
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: String function: 00C2012F appears 678 times
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: String function: 00C231C7 appears 83 times
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: String function: 00C2061A appears 34 times
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: String function: 00BE37D3 appears 496 times
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: String function: 00E131C7 appears 83 times
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: String function: 00E1061A appears 34 times
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: String function: 00DD1F20 appears 54 times
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: String function: 00DD37D3 appears 496 times
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: String function: 00E1012F appears 678 times
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: String function: 6C16833E appears 579 times
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: String function: 6C1339AD appears 43 times
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: String function: 6C188B7A appears 109 times
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: String function: 6C1685BC appears 56 times
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: String function: 6C196E1A appears 549 times

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePDFImage.dll2 vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3774513867.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameinetc.dllF vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePacking Partner Print.exe@ vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameChilkatDotNet45.dll vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDOMView.dll@ vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [--OriginalFilename--12345678--] vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findDescripcheckingForAttributerootTagDid not find rdf:RDFfirstChildTagDid not find rdf:DescriptionfirstSubChildTagcheckingNodeFailed to find matching attributerdf:aboutaddDescripFailed to find 1st child (1a)rdf:DescriptionAddSimpleIntpropValAddStructPropstructNameResourcerdf:parseTypeAddSimpleStrrdf:Bagrdf:lirdf:Altrdf:SeqAddSimpleDateAddNsMappingnsRemoveNsMappingXmp<?xml version="1.0" encoding="utf-8" ?> <x:xmpmeta xmlns:x="adobe:ns:meta/"> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> </rdf:RDF> </x:xmpmeta>NewXmpLoadFromBufferLoadAppFileGetEmbeddedGetArrayArray not found.Array not found (2).dchttp://purl.org/dc/elements/1.1/xmpPLUShttp://ns.adobe.com/xap/1.0/PLUS/MicrosoftPhotohttp://ns.microsoft.com/photo/1.0/Iptc4xmpCorehttp://iptc.org/std/Iptc4xmpCore/1.0/xmlns/exifhttp://ns.adobe.com/exif/1.0/http://ns.adobe.com/pdf/1.3/photoshophttp://ns.adobe.com/photoshop/1.0/http://ns.adobe.com/tiff/1.0/xapstRefhttp://ns.adobe.com/xap/1.0/sType/ResourceRefxapMMxmpMMhttp://ns.adobe.com/xap/1.0/mm/xapRightshttp://ns.adobe.com/xap/1.0/rights/xmpxmpBJhttp://ns.adobe.com/xap/1.0/bj/xmpTPghttp://ns.adobe.com/xap/1.0/t/pg/xmpDMhttp://ns.adobe.com/xmp/1.0/DynamicMedia/xmpRightscrshttp://ns.adobe.com/camera-rawsettings/1.0/auxhttp://ns.adobe.com/exif/1.0/aux/SaveToBufferSaveAppFileRemoveStructPropstruct not found.RemoveArrayRemoveStructRemoveSimpleRemoveAllEmbeddedRemoveEmbeddedGetSimpleDateNo prop name or attribute exists.dateTimeParsedGetSimpleStrGetStructValueFailed to find DescripStruct does not exist.Failed to get first child.Failed to get child contentGetStructPropNamesstruct does not exist.GetSimpleIntGetPropertyFailed to find XML child with prop name.AddArrayarrayTyperdf:Did not find rdf:Description. Adding one..bag<rdf:Bag>seq<rdf:Seq><rdf:Alt><rdf:li></rdf:li></rdf:Bag></rdf:Seq></rdf:Alt>writeExeToOutputwriteExeBeginSfxRuntimeSizeckExe.datFailed to get temp filename for writing EXEtempFile1Failed to save EXE housing to temp file.Set the TempDir property to a directory path where it is possible to create temp files.Failed to use custom iconiconFileckExe2.datFailed to get temp filename for writing EXE (2)tempFile2Failed to load EXE image.Proceeding without custom icon...writeExeEndFailed to find version info item in EXEcustomizeExeVersion[--CompanyName--1234567890123--]CompanyNameSelf-Extracting Archive[--FileDescription--123456789012345678901234567--]FileDecriptionChilkat Self-Extractor[--InternalName--123456789012--]InternalName[--LegalCopyright--123456789012345678901234567--]LegalCopyrightSaExtract.exe[--OriginalFilename--12345678--]OriginalFilenameChilkat Zip Self-Extractor[--ProductName--123456789012345678901234567890--]ProductNamewriteExeToOutput2Need password to write encrypted EXEFailed to write header.xmlConfigappendToSimpleArchiveFailed to append Nth file/directory to EXE.fileOrDirName15.0.0VersionCreatedByWriteExeToMemoryWriteExeckZ.datFailed to get temp filename.Failed to delete existing
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePacking Station.exe@ vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePacking Partner V3.exe@ vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePacking Partner Backup.exe. vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3798348039.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExtras.dll" vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787110956.00000000026E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExtensions.dllB vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: sus28.rans.troj.evad.winEXE@35/941@0/1

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C17CBBB __EH_prolog3,GetLastError,GetLastError,SetLastError,SetLastError,FormatMessageW,GetLastError,SetLastError,LocalFree,

3_2_6C17CBBB

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C164DC9 AdjustTokenPrivileges,	3_2_6C164DC9
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F2C1A4 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	5_2_00F2C1A4
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F2C1A4 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	6_2_00F2C1A4
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CE44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	11_2_00CE44E9
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BE44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	12_2_00BE44E9
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DD44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	13_2_00DD44E9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Code function: 0_2_004041CD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004041CD

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C155238 CreateToolhelp32Snapshot,_memset,Process32FirstW,Process32NextW,CloseHandle,

3_2_6C155238

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C1878DF LoadResource,LockResource,SizeofResource,

3_2_6C1878DF

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C15E9B4 ChangeServiceConfigW,

3_2_6C15E9B4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

File created: C:\Program Files (x86)\Packing Partner V4

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcredist_2010_x86[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\VC_Redist_SetupMutex

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

File created: C:\Users\user\AppData\Local\Temp\nswEDC2.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: cabinet.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: msi.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: version.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: wininet.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: comres.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: clbcatq.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: msasn1.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: crypt32.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: feclient.dll	11_2_00CE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: cabinet.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: msi.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: version.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: wininet.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: comres.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: clbcatq.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: msasn1.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: crypt32.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: feclient.dll	12_2_00BE1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: cabinet.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: msi.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: version.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: wininet.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: comres.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: clbcatq.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: msasn1.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: crypt32.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: feclient.dll	13_2_00DD1070

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Setup.exe	String found in binary or memory: Pre-Installation Warnings:
Source: vcredist_2012_x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: vcredist_2012_x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: vcredist_2019_x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: vcredist_2019_x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe /q /norestart
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Process created: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe c:\14cf0ab3e4a0f130fd99e986a4\Setup.exe /q /norestart
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe /q /norestart
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe "C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe" /q /norestart -burn.unelevated BurnPipe.{CA42E693-A6A8-4B3E-8B47-BDA43C78E551} {5B7172FD-6E81-465C-B515-21DA173C4F62} 2820
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe /q /norestart
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Process created: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe "C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe" -burn.filehandle.attached=700 -burn.filehandle.self=748 /q /norestart
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe "C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{F320CDF8-E401-4EF5-9F1B-EDA3611F5688} {5D0F0C66-332F-41E0-A1E1-6C2057523AF5} 7668
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown	Process created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20240523234124.log" /quiet /norestart ignored /burn.runonce
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Process created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /burn.log.append C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20240523234124.log /quiet /norestart ignored
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe "C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe" /S /D=C:\Program Files (x86)\Packing Partner V4
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Process created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" -q -burn.elevated BurnPipe.{A2C4E75F-C172-4AD8-B169-B7BE702B5646} {D3660430-5913-4C20-9C4C-44BF2099DAC6} 5612
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe"
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe "C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe" /S /D=C:\Program Files (x86)\Packing Partner V4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe /q /norestart	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe /q /norestart	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe /q /norestart	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe "C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe" /S /D=C:\Program Files (x86)\Packing Partner V4	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe "C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe" /S /D=C:\Program Files (x86)\Packing Partner V4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Process created: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe c:\14cf0ab3e4a0f130fd99e986a4\Setup.exe /q /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe "C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe" /q /norestart -burn.unelevated BurnPipe.{CA42E693-A6A8-4B3E-8B47-BDA43C78E551} {5B7172FD-6E81-465C-B515-21DA173C4F62} 2820	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Process created: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe "C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe" -burn.filehandle.attached=700 -burn.filehandle.self=748 /q /norestart
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe "C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{F320CDF8-E401-4EF5-9F1B-EDA3611F5688} {5D0F0C66-332F-41E0-A1E1-6C2057523AF5} 7668
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Process created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /burn.log.append C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20240523234124.log /quiet /norestart ignored
Source: C:\Windows\System32\svchost.exe	Process created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" -q -burn.elevated BurnPipe.{A2C4E75F-C172-4AD8-B169-B7BE702B5646} {D3660430-5913-4C20-9C4C-44BF2099DAC6} 5612
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe"
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: setupengine.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: sqmapi.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: usoapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sxproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: feclient.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: acgenral.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: winmm.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: samcli.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: msacm32.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: version.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: userenv.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: urlmon.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: mpr.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: sspicli.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: iertutil.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: srvcli.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: netutils.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: aclayers.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: sfc.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: msi.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: cabinet.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: msxml3.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: wldp.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: feclient.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: msimg32.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: explorerframe.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: riched20.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: usp10.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: msls31.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: textshaping.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: propsys.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: edputil.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: appresolver.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: slc.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: sppc.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: acgenral.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: winmm.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: samcli.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: msacm32.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: version.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: userenv.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: urlmon.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: mpr.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: sspicli.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: iertutil.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: srvcli.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: netutils.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: aclayers.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: sfc.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: msi.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: cabinet.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: msxml3.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: wldp.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: srclient.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: spp.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: powrprof.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: vssapi.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: vsstrace.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: umpdc.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: usoapi.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: sxproxy.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: feclient.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: srpapi.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: netapi32.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: coreuicomponents.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

File written: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\ioSpecial.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Automated click: I Agree
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Window detected: Number of UI elements: 19
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Window detected: Number of UI elements: 23
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Window detected: Number of UI elements: 19
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Window detected: Number of UI elements: 23

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Static file information: File size 9104160 > 1048576

Source: C:\Windows\System32\msiexec.exe

File opened: c:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vcredist_2019_x86.exe, 0000000B.00000000.2360173155.0000000000D2B000.00000002.00000001.01000000.00000016.sdmp, vcredist_2019_x86.exe, 0000000B.00000002.2694086254.0000000000D2B000.00000002.00000001.01000000.00000016.sdmp, vcredist_2019_x86.exe, 0000000C.00000002.2687800977.0000000000C2B000.00000002.00000001.01000000.00000017.sdmp, vcredist_2019_x86.exe, 0000000C.00000000.2375551745.0000000000C2B000.00000002.00000001.01000000.00000017.sdmp, VC_redist.x86.exe, 0000000D.00000003.2615914520.0000000000C9F000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x86.exe, 0000000D.00000000.2388022890.0000000000E1B000.00000002.00000001.01000000.00000019.sdmp, VC_redist.x86.exe, 0000000D.00000002.2681889263.0000000000E1B000.00000002.00000001.01000000.00000019.sdmp, VC_redist.x86.exe, 0000001C.00000000.2730362455.000000000021B000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: sfxcab.pdb source: vcredist_2010_x86.exe, vcredist_2010_x86.exe, 00000002.00000000.2167645378.0000000001002000.00000020.00000001.01000000.0000000B.sdmp, vcredist_2010_x86.exe, 00000002.00000002.2362560317.0000000001002000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\wixstdba.pdb source: vcredist_2012_x86.exe, 00000005.00000003.2228737514.00000000015F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sqmapi.pdb source: Setup.exe, Setup.exe, 00000003.00000002.2335828733.000000006C731000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: SetupEngine.pdb source: Setup.exe, Setup.exe, 00000003.00000002.2323919965.000000006C111000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: P:\Public\Apps\_.NET Projects\AiMCo Packing Partner\Backup\obj\x86\Release\Packing Partner Backup.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\DevWin10\Projects\_.NET Projects\Aimco DOMView\V112\PDFImage\obj\Release\PDFImage.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\wixstdba.pdb\ source: vcredist_2012_x86.exe, 00000005.00000003.2228737514.00000000015F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbtermediate.txt source: SrTasks.exe, 0000000E.00000003.2717348435.000001BC7368C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\x86\burn.pdb source: vcredist_2012_x86.exe, vcredist_2012_x86.exe, 00000006.00000000.2229175317.0000000000F21000.00000020.00000001.01000000.00000011.sdmp, vcredist_2012_x86.exe, 00000006.00000002.2446605237.0000000000F21000.00000020.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\DevWin10\Projects\_.NET Projects\AiMCo Packing Partner\Packing Partner V4.0\ExtPrint\obj\Release\Packing Partner Print.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\DevWin10\Projects\_.NET Projects\AiMCo Packing Partner\Packing Partner V4.0\Extension\obj\x86\Release\Extensions.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787110956.00000000026E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBxml4 source: SrTasks.exe, 0000000E.00000003.2717348435.000001BC7368C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Setup.pdb source: Setup.exe, Setup.exe, 00000003.00000002.2279976924.0000000000A01000.00000020.00000001.01000000.0000000C.sdmp, Setup.exe, 00000003.00000000.2191004929.0000000000A01000.00000020.00000001.01000000.0000000C.sdmp

Data Obfuscation

Binary contains a suspicious time stamp

Source: Packing Partner Backup.exe.0.dr

Static PE information: 0x888D7616 [Wed Aug 6 21:09:42 2042 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Code function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405CFF

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_10002A10 push eax; ret	0_2_10002A3E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_010065F3 push ecx; ret	2_2_01006603
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_00A03DF5 push ecx; ret	3_2_00A03E08
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C196F06 push ecx; ret	3_2_6C196F19
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C18E265 push ecx; ret	3_2_6C18E278
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C734821 push ecx; ret	3_2_6C734834
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C731B89 push ecx; ret	3_2_6C731B9C
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F25A55 push ecx; ret	5_2_00F25A68
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F25A55 push ecx; ret	6_2_00F25A68
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0E876 push ecx; ret	11_2_00D0E889
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0E876 push ecx; ret	12_2_00C0E889
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFE876 push ecx; ret	13_2_00DFE889

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob			Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob			Jump to behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vccorlib110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6c80e6.rbf (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\2052\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\Sharp3DBinPacking.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1042\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcr110.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100deu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Lib4000[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1033\SetupResources.dll	Jump to dropped file
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\HelpViewer.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcredist_2019_x86[1].exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp110.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6c80eb.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\HidSharp.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.WinForms.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1049\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\Microsoft.WindowsAPICodePack.Shell.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\Microsoft.WindowsAPICodePack.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\3082\SetupResources.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\Restart.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcredist_2012_x86[1].exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\MessagingToolkit.Barcode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100enu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\CEF1120[1].exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\PDFLibNet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Packing Partner Print.exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\ScintillaNET.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\x86\liblept172.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\ExcelDataReader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vccorlib140.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\DOMView.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\atl100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100chs.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\FlatTabControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\INetC.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.Core.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\Microsoft.mshtml.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Packing Partner Backup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1040\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100ita.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\MdiTabControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\SetupUi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\libcef.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\DOMView.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1028\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\SetupEngine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Packing Station.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\DOMView.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\x86\libtesseract304.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.Core.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1031\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6c80ec.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\concrt140.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\chrome_elf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp110.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\DiffPlex.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcredist_2010_x86[1].exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\FindProcDLL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6c80ed.rbf (copy)	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.BrowserSubprocess.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\PDFImage.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6c80ee.rbf (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.be\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\System.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm100u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Extras.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\ChilkatDotNet45.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Packing Partner V3.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100kor.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\sqmapi.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\Tesseract.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100jpn.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\SQLite.Interop.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vccorlib110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\atl100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcr110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm100u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_1.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86			Jump to dropped file

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240523_234123140-MSI_vc_red.msi.txt

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1049\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1028\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1029\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1031\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1036\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1040\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1041\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1042\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1045\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1046\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1049\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1055\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\2052\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\3082\license.rtf
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\LICENSE.txt
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\README.txt

Boot Survival

Creates or modifies windows services

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\VSSetup

Jump to behavior

Modifies existing windows services

Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C15F721 StartServiceW,

3_2_6C15F721

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	Jump to behavior
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vccorlib110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6c80e6.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\2052\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Sharp3DBinPacking.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1042\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\msvcr110.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcomp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100deu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1033\SetupResources.dll	Jump to dropped file
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcomp110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6c80eb.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\HidSharp.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.WinForms.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1049\SetupResources.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Microsoft.WindowsAPICodePack.Shell.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Microsoft.WindowsAPICodePack.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\3082\SetupResources.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Restart.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\MessagingToolkit.Barcode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\PDFLibNet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Packing Partner Print.exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\ScintillaNET.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_1.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\x86\liblept172.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\ExcelDataReader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\DOMView.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Dropped PE file which has not been started: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\atl100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100chs.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\FlatTabControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\INetC.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.Core.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Microsoft.mshtml.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Packing Partner Backup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1040\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100ita.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\MdiTabControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\SetupUi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\libcef.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\DOMView.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1028\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Packing Station.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\DOMView.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\x86\libtesseract304.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.Core.Runtime.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1031\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6c80ec.rbf (copy)	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\chrome_elf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcamp110.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\DiffPlex.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\FindProcDLL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6c80ed.rbf (copy)	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.BrowserSubprocess.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\PDFImage.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6c80ee.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\System.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Extras.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\ChilkatDotNet45.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Packing Partner V3.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100kor.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Tesseract.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100jpn.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\SQLite.Interop.dll	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evasive API call chain: GetLocalTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\SrTasks.exe TID: 6052

Thread sleep time: -90000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\SrTasks.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00D1FE5Dh	11_2_00D1FDC2
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00D1FE56h	11_2_00D1FDC2
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00C1FE5Dh	12_2_00C1FDC2
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00C1FE56h	12_2_00C1FDC2
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00E0FE5Dh	13_2_00E0FDC2
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00E0FE56h	13_2_00E0FDC2

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File Volume queried: C:\Windows FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405302
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_00405CD8 FindFirstFileA,FindClose,	0_2_00405CD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_010046B9 SendDlgItemMessageA,strstr,SetFileAttributesA,GetLastError,CopyFileA,SendDlgItemMessageA,strstr,SetFileAttributesA,CopyFileA,GetLastError,CopyFileA,SetFileAttributesA,SendDlgItemMessageA,_strlwr,GetLastError,MoveFileA,MoveFileA,_strlwr,strstr,FindFirstFileA,strrchr,SendDlgItemMessageA,DeleteFileA,Sleep,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,strchr,strrchr,SendDlgItemMessageA,	2_2_010046B9
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C145B82 __EH_prolog3_GS,_memset,FindFirstFileW,FindNextFileW,FindClose,	3_2_6C145B82
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C14410A FindFirstFileW,GetFullPathNameW,SetLastError,_wcsrchr,_wcsrchr,	3_2_6C14410A
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C748097 memset,memset,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,	3_2_6C748097
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C734281 memset,EnterCriticalSection,FindFirstFileW,LeaveCriticalSection,ctype,FindNextFileW,FindClose,ResetEvent,CreateThread,CloseHandle,GetLastError,	3_2_6C734281
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F55B68 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	5_2_00F55B68
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F54E54 _memset,FindFirstFileW,FindClose,	5_2_00F54E54
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F42146 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	5_2_00F42146
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F42146 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	6_2_00F42146
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F55B68 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	6_2_00F55B68
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F54E54 _memset,FindFirstFileW,FindClose,	6_2_00F54E54
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CE3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	11_2_00CE3BC3
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D24315 FindFirstFileW,FindClose,	11_2_00D24315
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CF993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	11_2_00CF993E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D17A87 FindFirstFileExW,	11_2_00D17A87
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C24315 FindFirstFileW,FindClose,	12_2_00C24315
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BF993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	12_2_00BF993E
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BE3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	12_2_00BE3BC3
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C17A87 FindFirstFileExW,	12_2_00C17A87
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E14315 FindFirstFileW,FindClose,	13_2_00E14315
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DE993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	13_2_00DE993E
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DD3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	13_2_00DD3BC3
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E07A87 FindFirstFileExW,	13_2_00E07A87

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C170C91 __EH_prolog3_GS,GetModuleHandleW,GetLastError,GetSystemInfo,GetLastError,GetLastError,GetLastError,_memset,GetLastError,

3_2_6C170C91

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\INetC.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\	Jump to behavior

Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_en-us_168291f09487ebd5
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2ce_0e0a89147be645a1
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66b35a980
Source: SrTasks.exe, 0000000E.00000003.2750707700.000001BC71713000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msft_neteventvmnetworkadatper.format.ps1xmlLMEMX
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b281413392089cd4d04
Source: SrTasks.exe, 0000000E.00000003.2736446656.000001BC71291000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msft_neteventvmnetworkadatper.cdxmlLMEMHW
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.19041.1_en-us_d314f4eb3925c8b55
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_299ac5951a49c2de3.
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.19041.1_none_fc5d2e67adee5611_f14a4bbefe65ac87}
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955c
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.00000000006A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.19041.1_none_d7dfb451bd621127x
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d589a67
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_en-us_369e8b635061fdb3:
Source: SrTasks.exe, 0000000E.00000003.2718602635.000001BC73817000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMCI~1.INFF9-4731-9e04-7653f139d464}.catalogitem
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_50c23e4c771f203aY
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0cC
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.19041.1_none_34b87765e20dcc15
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ca4b4247e291981o
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.19041.1_none_25a2ff96aac272dd
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.19041.1_none_2246f2e6f0441379dd-
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79b542f445b28a5c
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13d8I
Source: SrTasks.exe, 0000000E.00000003.2736446656.000001BC71291000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmci.sysLMEM
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc0cba9450a52790
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.19041.1_none_43a9017744e82ca8e5>
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-gb_7788797720472f2d
Source: SrTasks.exe, 0000000E.00000003.2573591813.000001BC70022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processset.psd122\\?\Volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\FFwindows\syswow64\windowspowershell\v1.0\modules\neteventpacketcapture$$msft_neteventvmnetworkadatper.cdxml22\\?\Volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\66windows\syswow64\windowspowershell\v1.0\modules\iscsi
Source: SrTasks.exe, 0000000E.00000003.2573591813.000001BC70022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processset.psd122\\?\Volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\FFwindows\system32\windowspowershell\v1.0\modules\neteventpacketcapture$$msft_neteventvmnetworkadatper.cdxml22\\?\Volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\66windows\system32\windowspowershell\v1.0\modules\iscsi
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_ddaeabc80a3525d6
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.19041.1_none_50b60ffc14c70fb2
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.19041.1_en-us_c2edb07518552135b
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd3f4751718744
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.19041.1_en-us_8e6d1518accc0bf5
Source: SrTasks.exe, 0000000E.00000003.2718602635.000001BC73817000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: SrTasks.exe, 0000000E.00000003.2573591813.000001BC70022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows\system32\driversvmci.sys22\\?\Volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-gb_71570953289cd4d0X
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_0ccb9f4751718744
Source: vcredist_2019_x86.exe, 0000000C.00000003.2685014111.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
Source: SrTasks.exe, 0000000E.00000003.2554641647.000001BC6DC2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e69638
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_en-us_4373d0692dcd3a06?
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87*
Source: SrTasks.exe, 0000000E.00000003.2726429598.000001BC723C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmci.inf]
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c14142494c595902f8
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.19041.1_en-us_5ee8ada67d246bdam
Source: SrTasks.exe, 0000000E.00000003.2726429598.000001BC723C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmci.cat\
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4dZ
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479bc2edb075185521350
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.19041.1_none_b6d8bfc73f89cc962e6f044137994
Source: SrTasks.exe, 0000000E.00000003.2750707700.000001BC71713000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msft_neteventvmnetworkadatper.format.ps1xmlLMEMX`O"q
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vid.resources_31bf3856ad364e35_10.0.19041.1_en-us_447494df1222bcd8+
Source: SrTasks.exe, 0000000E.00000003.2736446656.000001BC71291000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msft_neteventvmnetworkadatper.cdxmlLMEMHX_
Source: SrTasks.exe, 0000000E.00000003.2726429598.000001BC723C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmci.sysb
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a985
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	API call chain: ExitProcess graph end node
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_00A02BA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_00A02BA5

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C18C78B VirtualProtect ?,-00000001,00000104,?

3_2_6C18C78B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Code function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405CFF

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D14812 mov eax, dword ptr fs:[00000030h]	11_2_00D14812
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C14812 mov eax, dword ptr fs:[00000030h]	12_2_00C14812
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E04812 mov eax, dword ptr fs:[00000030h]	13_2_00E04812

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe

Code function: 2_2_01005899 InitializeCriticalSectionAndSpinCount,#17,GetProcessHeap,CreateEventA,CreateEventA,CreateEventA,CreateThread,WaitForSingleObject,SendDlgItemMessageA,Sleep,ShowWindow,SetParent,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,LoadStringA,LoadStringA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,CreateFileA,GetFileSize,ReadFile,CloseHandle,DeleteFileA,SendDlgItemMessageA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,ExpandEnvironmentStringsA,CreateProcessA,ShowWindow,WaitForSingleObject,GetExitCodeProcess,FindCloseChangeNotification,ShowWindow,LoadStringA,MessageBoxA,DeleteCriticalSection,ExitProcess,

2_2_01005899

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_010062FF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_010062FF
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_00A02BA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00A02BA5
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_00A045BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00A045BE
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C1676A7 __EH_prolog3,GetModuleHandleW,GetProcAddress,SetUnhandledExceptionFilter,GetCommandLineW,	3_2_6C1676A7
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C18EB6A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C18EB6A
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C18B091 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C18B091
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C73171F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C73171F
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F28498 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00F28498
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F285FB __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00F285FB
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F25E9A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00F25E9A
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F24797 SetUnhandledExceptionFilter,	5_2_00F24797
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F28498 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00F28498
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F285FB __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00F285FB
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F25E9A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00F25E9A
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F24797 SetUnhandledExceptionFilter,	6_2_00F24797
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00D0E188
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00D0E625
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0E773 SetUnhandledExceptionFilter,	11_2_00D0E773
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D13BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00D13BB0
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00C0E188
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00C0E625
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0E773 SetUnhandledExceptionFilter,	12_2_00C0E773
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C13BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00C13BB0
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00DFE188
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00DFE625
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFE773 SetUnhandledExceptionFilter,	13_2_00DFE773
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E03BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00E03BB0

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Process created: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe "C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe" -burn.filehandle.attached=700 -burn.filehandle.self=748 /q /norestart
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe "C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{F320CDF8-E401-4EF5-9F1B-EDA3611F5688} {5D0F0C66-332F-41E0-A1E1-6C2057523AF5} 7668
Source: C:\Windows\System32\svchost.exe	Process created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" -q -burn.elevated BurnPipe.{A2C4E75F-C172-4AD8-B169-B7BE702B5646} {D3660430-5913-4C20-9C4C-44BF2099DAC6} 5612
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe

Code function: 2_2_01004F6B InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,FindCloseChangeNotification,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,

2_2_01004F6B

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe

Code function: 2_2_01003D02 AllocateAndInitializeSid,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLengthSid,GetTokenInformation,GetLengthSid,

2_2_01003D02

Source: Setup.exe, 00000003.00000003.2223881970.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000003.2223690287.00000000014A1000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.2288624755.000000000144D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managert
Source: Setup.exe, 00000003.00000003.2224000503.0000000001469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [1028] [explorer.exe] [Program Manager] [Visible]lled1

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe

Code function: 11_2_00D0E9A7 cpuid

11_2_00D0E9A7

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: GetLocaleInfoA,		5_2_00F2B6BD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: GetLocaleInfoA,		6_2_00F2B6BD

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Queries volume information: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\logo.png VolumeInformation
Source: C:\Windows\System32\SrTasks.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png VolumeInformation
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\logo.png VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe

Code function: 5_2_00F2D730 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,CreateNamedPipeW,GetLastError,

5_2_00F2D730

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe

2_2_01004F6B

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe

Code function: 5_2_00F34D0C GetUserNameW,GetLastError,

5_2_00F34D0C

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C167B40 __EH_prolog3_GS,GetCommandLineW,_memset,GetTimeZoneInformation,GetThreadLocale,

3_2_6C167B40

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Code function: 0_2_004059FF GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_004059FF

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.194.90.17	unknown	United Kingdom		43219	EVERYCITYGR	false

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01004F6B InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,FindCloseChangeNotification,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,	2_2_01004F6B
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_010045EB GetFileAttributesA,LoadLibraryA,GetProcAddress,DecryptFileA,GetLastError,	2_2_010045EB
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C1717D1 __EH_prolog3,CryptQueryObject,GetLastError,CertCloseStore,CryptMsgClose,GetLastError,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,	3_2_6C1717D1
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C158094 CryptMsgGetAndVerifySigner,	3_2_6C158094
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C158083 CryptQueryObject,	3_2_6C158083
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C1580A5 CryptHashPublicKeyInfo,SetLastError,	3_2_6C1580A5
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C1580D5 CryptMsgGetParam,SetLastError,	3_2_6C1580D5
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C158114 CryptDecodeObject,SetLastError,	3_2_6C158114
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F410B6 _memset,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,CryptCATAdminCalcHashFromFileHandle,GetLastError,WinVerifyTrust,WinVerifyTrust,WinVerifyTrust,	5_2_00F410B6
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F41302 CryptHashPublicKeyInfo,_memcmp,_memcmp,GetLastError,	5_2_00F41302
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F567E2 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,ReadFile,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,GetLastError,CryptDestroyHash,CryptReleaseContext,	5_2_00F567E2
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F417D8 DecryptFileW,	5_2_00F417D8
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F417D8 DecryptFileW,	6_2_00F417D8
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F410B6 _memset,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,CryptCATAdminCalcHashFromFileHandle,GetLastError,WinVerifyTrust,WinVerifyTrust,WinVerifyTrust,	6_2_00F410B6
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F41302 CryptHashPublicKeyInfo,_memcmp,_memcmp,GetLastError,	6_2_00F41302
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F567E2 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,ReadFile,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,GetLastError,CryptDestroyHash,CryptReleaseContext,	6_2_00F567E2
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CF9EB7 DecryptFileW,	11_2_00CF9EB7
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	11_2_00D1F961
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CF9C99 DecryptFileW,DecryptFileW,	11_2_00CF9C99
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BF9EB7 DecryptFileW,	12_2_00BF9EB7
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	12_2_00C1F961
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BF9C99 DecryptFileW,DecryptFileW,	12_2_00BF9C99
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	13_2_00E0F961
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DE9C99 DecryptFileW,DecryptFileW,	13_2_00DE9C99
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DE9EB7 DecryptFileW,	13_2_00DE9EB7

Bitcoin Miner

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Packing Partner V3.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Packing Station.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Packing Partner Print.exe	Jump to behavior

Compliance

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Jump to behavior

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240523_234123140-MSI_vc_red.msi.txt

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1049\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1028\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1029\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1031\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1036\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1040\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1041\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1042\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1045\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1046\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1049\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1055\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\2052\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\3082\license.rtf
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\LICENSE.txt
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\README.txt

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Static PE information: certificate valid

Source: C:\Windows\System32\msiexec.exe

File opened: c:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vcredist_2019_x86.exe, 0000000B.00000000.2360173155.0000000000D2B000.00000002.00000001.01000000.00000016.sdmp, vcredist_2019_x86.exe, 0000000B.00000002.2694086254.0000000000D2B000.00000002.00000001.01000000.00000016.sdmp, vcredist_2019_x86.exe, 0000000C.00000002.2687800977.0000000000C2B000.00000002.00000001.01000000.00000017.sdmp, vcredist_2019_x86.exe, 0000000C.00000000.2375551745.0000000000C2B000.00000002.00000001.01000000.00000017.sdmp, VC_redist.x86.exe, 0000000D.00000003.2615914520.0000000000C9F000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x86.exe, 0000000D.00000000.2388022890.0000000000E1B000.00000002.00000001.01000000.00000019.sdmp, VC_redist.x86.exe, 0000000D.00000002.2681889263.0000000000E1B000.00000002.00000001.01000000.00000019.sdmp, VC_redist.x86.exe, 0000001C.00000000.2730362455.000000000021B000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: sfxcab.pdb source: vcredist_2010_x86.exe, vcredist_2010_x86.exe, 00000002.00000000.2167645378.0000000001002000.00000020.00000001.01000000.0000000B.sdmp, vcredist_2010_x86.exe, 00000002.00000002.2362560317.0000000001002000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\wixstdba.pdb source: vcredist_2012_x86.exe, 00000005.00000003.2228737514.00000000015F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sqmapi.pdb source: Setup.exe, Setup.exe, 00000003.00000002.2335828733.000000006C731000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: SetupEngine.pdb source: Setup.exe, Setup.exe, 00000003.00000002.2323919965.000000006C111000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: P:\Public\Apps\_.NET Projects\AiMCo Packing Partner\Backup\obj\x86\Release\Packing Partner Backup.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\DevWin10\Projects\_.NET Projects\Aimco DOMView\V112\PDFImage\obj\Release\PDFImage.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\wixstdba.pdb\ source: vcredist_2012_x86.exe, 00000005.00000003.2228737514.00000000015F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbtermediate.txt source: SrTasks.exe, 0000000E.00000003.2717348435.000001BC7368C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\x86\burn.pdb source: vcredist_2012_x86.exe, vcredist_2012_x86.exe, 00000006.00000000.2229175317.0000000000F21000.00000020.00000001.01000000.00000011.sdmp, vcredist_2012_x86.exe, 00000006.00000002.2446605237.0000000000F21000.00000020.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\DevWin10\Projects\_.NET Projects\AiMCo Packing Partner\Packing Partner V4.0\ExtPrint\obj\Release\Packing Partner Print.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\DevWin10\Projects\_.NET Projects\AiMCo Packing Partner\Packing Partner V4.0\Extension\obj\x86\Release\Extensions.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787110956.00000000026E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBxml4 source: SrTasks.exe, 0000000E.00000003.2717348435.000001BC7368C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Setup.pdb source: Setup.exe, Setup.exe, 00000003.00000002.2279976924.0000000000A01000.00000020.00000001.01000000.0000000C.sdmp, Setup.exe, 00000003.00000000.2191004929.0000000000A01000.00000020.00000001.01000000.0000000C.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405302
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_00405CD8 FindFirstFileA,FindClose,	0_2_00405CD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_010046B9 SendDlgItemMessageA,strstr,SetFileAttributesA,GetLastError,CopyFileA,SendDlgItemMessageA,strstr,SetFileAttributesA,CopyFileA,GetLastError,CopyFileA,SetFileAttributesA,SendDlgItemMessageA,_strlwr,GetLastError,MoveFileA,MoveFileA,_strlwr,strstr,FindFirstFileA,strrchr,SendDlgItemMessageA,DeleteFileA,Sleep,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,strchr,strrchr,SendDlgItemMessageA,	2_2_010046B9
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C145B82 __EH_prolog3_GS,_memset,FindFirstFileW,FindNextFileW,FindClose,	3_2_6C145B82
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C14410A FindFirstFileW,GetFullPathNameW,SetLastError,_wcsrchr,_wcsrchr,	3_2_6C14410A
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C748097 memset,memset,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,	3_2_6C748097
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C734281 memset,EnterCriticalSection,FindFirstFileW,LeaveCriticalSection,ctype,FindNextFileW,FindClose,ResetEvent,CreateThread,CloseHandle,GetLastError,	3_2_6C734281
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F55B68 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	5_2_00F55B68
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F54E54 _memset,FindFirstFileW,FindClose,	5_2_00F54E54
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F42146 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	5_2_00F42146
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F42146 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	6_2_00F42146
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F55B68 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	6_2_00F55B68
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F54E54 _memset,FindFirstFileW,FindClose,	6_2_00F54E54
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CE3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	11_2_00CE3BC3
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D24315 FindFirstFileW,FindClose,	11_2_00D24315
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CF993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	11_2_00CF993E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D17A87 FindFirstFileExW,	11_2_00D17A87
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C24315 FindFirstFileW,FindClose,	12_2_00C24315
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BF993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	12_2_00BF993E
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BE3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	12_2_00BE3BC3
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C17A87 FindFirstFileExW,	12_2_00C17A87
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E14315 FindFirstFileW,FindClose,	13_2_00E14315
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DE993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	13_2_00DE993E
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DD3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	13_2_00DD3BC3
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E07A87 FindFirstFileExW,	13_2_00E07A87

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\INetC.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\	Jump to behavior

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 4x nop then mov edx, dword ptr [esp+08h]

3_2_6C74DDDB

Networking

Yara detected Generic Downloader

Source: Yara match	File source: C:\Program Files (x86)\Packing Partner V4\CEF\DOMView.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Packing Partner V4\DOMView.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Packing Partner V4\Packing Partner V3.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Packing Partner V4\Packing Station.exe, type: DROPPED

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C184B54 URLDownloadToFileW,

3_2_6C184B54

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ENDPOINT/ENDPOINTcontentTypehashFilefileMd5fileSha256s3__uploadDataPUT/OBJECThttp://BUCKET.OB
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/datacontracts/ShippingServiceq
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/datacontracts/orders9
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/AddUpsellRelationshipT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/AssignLabelListToInventoryItemListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/DeleteInventoryItemT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/DeleteUpsellRelationshipT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/DoesSkuExistListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/DoesSkuExistT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/G
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetAuthorizationListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetClassificationConfigurationInformationT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetDistributionCenterListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetFilteredInventoryItemListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetFilteredSkuListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemAttributeListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemImageListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemListWithFullDetailT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemQuantityInfoT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemShippingInfoT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemStoreInfoT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryItemVariationInfoT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryQuantityListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetInventoryQuantityT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetOrderListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetOrderRefundHistoryT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetOrderShipmentHistoryListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetShippingCarrierListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetShippingRateListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/GetUpsellRelationshipT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/OrderMergeT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/OrderSplitT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/PingT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/RemoveLabelListFromInventoryItemListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/RequestAccessT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SetOrdersExportStatusT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SetSellerOrderIDT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SetSellerOrderItemIDListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SubmitOrderRefundT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SubmitOrderShipmentListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SubmitOrderT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SynchInventoryItemListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/SynchInventoryItemT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/UpdateInventoryItemQuantityAndPriceListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/UpdateInventoryItemQuantityAndPriceT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.channeladvisor.com/webservices/UpdateOrderListT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.labelary.com/v1/printers/8dpmm/labels/4x6/0/#WorldOptionsAPI_1ghttps://xmlapi.vtp.netdesp
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/AddTranslationArrayResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/AddTranslationArrayT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/AddTranslationResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/AddTranslationT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/BreakSentencesResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/BreakSentencesT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/DetectArrayResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/DetectArrayT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/DetectResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/DetectT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetAppIdTokenResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetAppIdTokenT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetLanguageNamesResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetLanguageNamesT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetLanguagesForSpeakResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetLanguagesForSpeakT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetLanguagesForTranslateResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetLanguagesForTranslateT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetTranslationsArrayResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetTranslationsArrayT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetTranslationsResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/GetTranslationsT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/SpeakResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/SpeakT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/TranslateArray2ResponseD
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/TranslateArray2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/TranslateArrayResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/TranslateArrayT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/TranslateResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/LanguageService/TranslateT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2/soap.svc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.microsofttranslator.com/V2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.parcelhub.net/schemas/api/parcelhub-api-v0.4.xsd
Source: vcredist_2019_x86.exe, VC_redist.x86.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: vcredist_2019_x86.exe, 0000000B.00000000.2360173155.0000000000D2B000.00000002.00000001.01000000.00000016.sdmp, vcredist_2019_x86.exe, 0000000B.00000002.2694086254.0000000000D2B000.00000002.00000001.01000000.00000016.sdmp, vcredist_2019_x86.exe, 0000000C.00000002.2687800977.0000000000C2B000.00000002.00000001.01000000.00000017.sdmp, vcredist_2019_x86.exe, 0000000C.00000000.2375551745.0000000000C2B000.00000002.00000001.01000000.00000017.sdmp, VC_redist.x86.exe, 0000000D.00000003.2615914520.0000000000C9F000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x86.exe, 0000000D.00000000.2388022890.0000000000E1B000.00000002.00000001.01000000.00000019.sdmp, VC_redist.x86.exe, 0000000D.00000002.2681889263.0000000000E1B000.00000002.00000001.01000000.00000019.sdmp, VC_redist.x86.exe, 0000001C.00000000.2730362455.000000000021B000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://centiro.com/facade/shared/1/0/datacontract
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://centiro.com/facade/shared/1/0/servicecontract
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://centiro.com/facade/shared/1/0/servicecontract/ISharedOperations/Authenticate)AuthenticationTi
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://centiro.com/facade/tmsBasic/1/0/servicecontract
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://centiro.com/facade/tmsBasic/1/0/servicecontract/ITMSBasic/AddAndPrintShipment-Content-Type:
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cknotes.com/determining-ftp2-connection-settings/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cknotes.com/pop3-error-no-x-uidl-header-found/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cknotes.com/pop3-error-no-x-uidl-header-found/message-idMessage-IDuidlmsgNumFailed
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cknotes.com/ssh-sftp-error-must-first-connect-to-the-ssh-server/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cknotes.com/v9-5-0-55-micro-update-new-features-fixes-changes-etc-2/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2338890477.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.2288624755.000000000144D000.00000004.00000020.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000005.00000003.2442836997.0000000001627000.00000004.00000020.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000005.00000002.2447571982.0000000001627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2338890477.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.2288624755.000000000144D000.00000004.00000020.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000005.00000003.2442836997.0000000001627000.00000004.00000020.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000005.00000002.2447571982.0000000001627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dispatch.lowcostparcels.co.uk/tracking/ByTrackID.aspx?trackID=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.aimcosoftware.co.uk/V4.txt
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedex.com/ws/ship/v28-ProcessShipmentRequest/WebAuthenticationDetail
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://feedback.ebay.co.uk/ws/eBayISAPI.dll?LeaveFeedback2&lookup_id=
Source: Setup.exe, 00000003.00000003.2203149531.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000003.2206353690.00000000030D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://justshoutgfs.com/Client/Ship/v5/1RequestedDeleteShipments
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3887280501.0000000000409000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000000.2033496001.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3887280501.0000000000409000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000000.2033496001.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2338890477.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.2288624755.000000000144D000.00000004.00000020.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000005.00000003.2442836997.0000000001627000.00000004.00000020.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000005.00000002.2447571982.0000000001627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0%
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0&
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v1_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v2_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v2_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v2_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v2_3.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RA_v2_4.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RB.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RB_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RB_v2_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RB_v2_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RB_v2_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RB_v2_3.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RC.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RC_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RC_v2_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RC_v2_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RC_v2_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RC_v2_3.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RT.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RT_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RT_v2_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RT_v2_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RT_v2_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RT_v2_3.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RV.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RV_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RV_v2_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RV_v2_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RV_v2_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_AD_RV_v2_3.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RA_v1_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RA_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RA_v1_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RB_v1_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RB_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RC_v1_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RC_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RC_v1_2.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RT_v1_0.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://politicas.icpbrasil.gov.br/PA_PAdES_AD_RT_v1_1.der
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Centiro.Facade.Common.Operations.Authenticate
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Centiro.Facade.TMSBasic.Contract.c1.i1.TMSBasic.BaseTypes.DT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.MT.Web.Service.V2f
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.MT.Web.Service.V2g
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.MT.Web.Service.V2l
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.MT.Web.Service.V2r
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.MT.Web.Service.V2s
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Practices.EnterpriseLibrary.Validation.Integration
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequests
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequestsZ
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequestsd
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequestse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequestsi
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequestsk
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebRequestsl
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/UKMWebAPICommon.WebResponses
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.AddlShipmentDetails
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.AddlShipmentDetailsj
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypes_
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypesa
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypesg
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypesh
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypesl
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypesp
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypess
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.GlobalTypesw
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOModel.ShippingLabelf
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsGlobalTypesb
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsGlobalTypesd
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsGlobalTypesp
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsGlobalTypesw
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsShippingDetails
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsShippingDetails)
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Model.wsShippingDetailse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices.Modelv
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServices_
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServicesc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/WOWebServicesp
Source: Setup.exe, 00000003.00000003.2202472104.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsofqd
Source: vcredist_2019_x86.exe, 0000000C.00000003.2384753817.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.cR
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://service.worldoptions.co.uk/ShipmentService.svc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spamarrest.com/a
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IShipmentService/DoShipmentResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IShipmentService/DoShipmentT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IShipmentService/DoShipmentValidationFaultFaultT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uri.etsi.org/01903/v1.2.2#DER
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uri.etsi.org/01903/v1.3.2#
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://us.ard.yahoo.com/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://us.ard.yahoo.com/http://us.rd.yahoo.com//
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://us.rd.yahoo.com/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wix.to/MnQzOyf)Navigating
Source: vcredist_2012_x86.exe, 00000006.00000003.2440096752.0000000003204000.00000004.00000800.00020000.00000000.sdmp, vcredist_2012_x86.exe, 00000006.00000003.2440870341.0000000003205000.00000004.00000800.00020000.00000000.sdmp, vcredist_2019_x86.exe, 0000000C.00000002.2689338596.0000000003040000.00000004.00000800.00020000.00000000.sdmp, vcredist_2019_x86.exe, 0000000C.00000002.2688374844.00000000028B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: vcredist_2019_x86.exe, 0000000C.00000002.2689338596.0000000003040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010(
Source: vcredist_2012_x86.exe, 00000006.00000003.2440096752.0000000003204000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010Hd
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContracts
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsC
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsI
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsV
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsX
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsY
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsZ
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContracts_
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsb
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsf
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsi
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsj
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsk
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsl
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsn
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractso
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsp
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsq
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractss
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractst
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsu
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsv
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsw
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/DataContractsy
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMAuthenticationService/AuthenticateByTo
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMAuthenticationService/LoginResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMAuthenticationService/LogoutResponse
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMCollectionService/BookCollectionRespon
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/AddDomesticConsignm
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/AddInternationalCon
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/AddReturnToSenderRe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/AddSendToThirdParty
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/CancelConsignmentRe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/CancelReturnRespons
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/CreateConsignmentV2
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/CreateConsignmentV3
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContracts/IUKMConsignmentService/GetLabelV2Response
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/Contracts/ServiceContractsT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMAuthenticationService/AuthenticateByTokenT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMAuthenticationService/LoginT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMAuthenticationService/LogoutT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMCollectionService/BookCollectionT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddDomesticConsignmentDeferredT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddDomesticConsignmentDeferredV2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddDomesticConsignmentT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddDomesticConsignmentV2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddInternationalConsignmentT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddInternationalConsignmentV2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddInternationalConsignmentV3T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddReturnToSenderT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/AddSendToThirdPartyT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/CancelConsignmentT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/CancelReturnT
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/CreateConsignmentV2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/CreateConsignmentV3T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.UKMail.com/Services/IUKMConsignmentService/GetLabelV2T
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aimcosoftware.co.uk
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aimcosoftware.co.uk/support.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aimcosoftware.co.ukPublisherAimco
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anything.com
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chilkatforum.com/questions/11627/sftp-failed-to-get-address-info
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chilkatsoft.com/p/p_463.asp)
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=210
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=217
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=282
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=282Closing
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=370
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=370POP3
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=411
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cknotes.com/?p=91
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dhl.com
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dpd.co.uk/apps/tracking/?reference=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dpd.co.uk/tracking/trackingSearch.do?search.searchType=0&search.parcelNumber=5http://www.
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecb.europa.eu/stats/eurofxref/eurofxref-daily.xml
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.co.uk/search?q=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.interlinkexpress.com/tracking/trackingSearch.do?search.searchType=1&search.consignmentNum
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mailpass.com/verify.cgi
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mailpass.com/verify.cgihttp://spamarrest.com/aThis
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.myhermes.co.uk/tracking-results.html?trackingNumber=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.parcelforce.net/ws/ship/v14
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tnt.com/express/en_gb/site/home/applications/application_panel-trackinguk-input.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xci/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xdc/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-connection-set/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-data/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-data/1.0/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-form/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-locale-set/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-source-set/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xfa.org/schema/xfa-template/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.packingpartner.uk
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.packingpartner.uk/acc/mt/api.php
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/tokenMissing
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://admin.myshopwired.uk/business/manage-profile-about
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/DOMView/Versions/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/V4/info/pricing.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/content/index.php
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/forum/content.php
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/forum/preview.php
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/install
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/pay4/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/support.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/v35Help/_chm/Guides/dashboardpro.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aimcosoftware.co.uk/v40Script/index.htmlmhttps://aimcosoftware.co.uk/v40Help/Script_Editor.h
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apc-training.hypaship.com/api/3.0/Orders.json
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apc-training.hypaship.com/api/3.0/Orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apc.hypaship.com/api/3.0/Orders.json
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apc.hypaship.com/api/3.0/Orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.amazon.com/auth/o2/token
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/V7/FulfillmentService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/v5/AdminService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/v5/ShippingService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/v7/AdminService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/v7/InventoryService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/v7/OrderService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.channeladvisor.com/ChannelAdvisorAPI/v7/ShippingService.asmx
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.create.net/orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.create.net/orders/-1
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.create.net/products/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.dpd.co.uk/shipping/shipmentghttps://api.dpd.co.uk/shipping/shipment/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.dpd.co.uk/user/?action=login
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.dpdlocal.co.uk/shipping/shipmentqhttps://api.dpdlocal.co.uk/shipping/shipment/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.dpdlocal.co.uk/user/?action=login
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ebay.com/wsapi?callname=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ecommerceapi.uk/v1/order-statuses
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ecommerceapi.uk/v1/orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ecommerceapi.uk/v1/products/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myhermes.co.uk/api/parcels?uhttps://api.myhermes.co.uk/api/labels/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.onbuy.com/v2/auth/request-token
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.onbuy.com/v2/orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.onbuy.com/v2/orders/dispatch%InvalidOrderStatus
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.parcel.royalmail.com/api/v1/orders
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.parcel.royalmail.com/api/v1/orders/ref;
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.parcelhub.net/1.0/Shipment/ShipmentsUsingServicePreference?ServicePreferenceListId=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.parcelhub.net/1.0/TokenV2
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.scurri.co.uk/v1/company/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.test.parcelhub.net/1.0/=https://api.parcelhub.net/1.0/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ukmail.com/Services/UKMAuthenticationServices/UKMAuthenticationService.svc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ukmail.com/Services/UKMCollectionServices/UKMCollectionService.svc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ukmail.com/Services/UKMConsignmentServices/UKMConsignmentService.svc
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.wayfair.com//Cache-Control:
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.wayfair.com/v1/graphqlQhttps://sso.auth.wayfair.com/oauth/tokenUhttps://sandbox.api.wayf
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.wearecaribou.com/create
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://app.create.net
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boostparcels.co.uk/V2/publicAPI/run.php
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cknotes.com/failed-to-read-beginning-of-ssl-tls-record-can-be-caused-by-external-firewall/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cknotes.com/ssh-sftp-public-key-authentication-fails-w-dsa-key-and-openssh-server/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud.centiro.com/Universe.Services/TMSBasic/Wcf/c1/i1/TMSBasic/Authenticate.svc/xml
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloud.centiro.com/Universe.Services/TMSBasic/Wcf/c1/i1/TMSBasic/TMSBasic.svc/xml
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://despatch-api.dxdelivery.com/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dgapi.app/API/?testMode=1-https://dgapi.app/API/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/1
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3894828971.0000000003267000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.00000000006A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/CEF1120.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/CEF1120.exe=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/CEF1120.exeC
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/CEF1120.exeInstalling
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.00000000006A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/CEF1120.exeZ
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/CEF1120.exei
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exe/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exeC
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exeInstalling
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3892590195.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exeQ
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exeleU
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334298022.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/Lib4000.exep
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/vcredist_2010_x86.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.0000000000646000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/vcredist_2010_x86.exe/NOCANCELget
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/vcredist_2010_x86.exe~
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/vcredist_2012_x86.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2035107197.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.aimcosoftware.co.uk/vcredist_2019_x86.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://expresslink-test.parcelforce.net/ws/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://expresslink.parcelforce.net/ws/)PrintDocumentRequest
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.ekmcdn.com/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.co.uk
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.co.uk/search?q=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.co.ukChttps://google.co.uk/search?q=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icontrol.gls-ireland.com/adeplus/pm1/ade_webapi2.php?wsdl
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icontrol.gls-ireland.com/adeplus/pm1/ade_webapi2.php?wsdl#adeLogin
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icontrol.gls-ireland.com/adeplus/pm1/ade_webapi2.php?wsdl#adePreparingBox_GetConsign
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icontrol.gls-ireland.com/adeplus/pm1/ade_webapi2.php?wsdl#adePreparingBox_GetConsignLabels
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icontrol.gls-ireland.com/adeplus/pm1/ade_webapi2.php?wsdl#adePreparingBox_InsertExt
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipapi.co/region
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://label.svc.stg2.huxloe360.com/api/v1.0/order/_https://label.svc.huxloe360.com/api/v1.0/order/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://labels.aimcosoftware.co.uk/hermes.php-deliveryRoutingRequest
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/GetUserRealm.srf
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/GetUserRealm.srfExpected
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/extSTS.srf
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marketplace.walmartapis.com
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marketplace.walmartapis.com;grant_type=client_credentials
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mtapi.net/;https://mtapi.net/?testMode=1
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myshop.com/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onlinetools.ups.com/ship/v1/shipments
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packingpartner.uk/remote?https://packingpartner.uk/forum
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packingpartner.uk/v40Help/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://partners.wayfair.com/user/_js-username-input
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://production-aimco.onrender.com/CreateShipment
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox-enterprise.justshoutgfs.com/ClientServer_4861/ClientShipService.asmx?op=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3334100983.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.2558417821.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0C
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seller.walmart.com/order-management/details?orderGroups=unShipped&poNumber=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sellercentral-europe.amazon.com/apps/authorize/consent?application_id=amzn1.sellerapps.app.b
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sellercentral.amazon.com/apps/authorize/consent?application_id=amzn1.sellerapps.app.b2856715
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sellingpartnerapi-eu.amazon.com
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://services.dhlparcel.co.uk/gateway/DomesticConsignment/2.0/DomesticConsignment
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://services.dhlparcel.co.uk/gateway/SSOAuthenticationAPI/1.0/ssoAuth/users/authenticate
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://services.dhlparcel.co.uk/v1/collection/collectionrequests
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ship.amazon.co.uk/settings/details/integrations/authorize/consent?application_id=amzn1.selle
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://staging-aimco.onrender.com/CreateShipment
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://suggestqueries.google.com/complete/search?client=chrome&hl=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/accounts/answer/6010255
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/mail/?p=BadCredentials
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t1.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&fallback_opts=TYPE
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://track.amazon.co.uk/tracking/Mhttps://tracking.asendia.com/tracking/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uat-raven-api.dxdelivery.com/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uat.centiro.com/Universe.Services/TMSBasic/Wcf/c1/i1/TMSBasic/Authenticate.svc/xml
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uat.centiro.com/Universe.Services/TMSBasic/Wcf/c1/i1/TMSBasic/TMSBasic.svc/xml
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ws.fedex.com:443/web-services
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3786269719.0000000005A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ws.fedex.com:443/web-services/ship
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wsbeta.fedex.com:443/web-services
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chartjs.org
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chilkatsoft.com/oauth2_allowed.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chilkatsoft.com/oauth2_denied.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chilkatsoft.com/readme.asp
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chilkatsoft.com/refdoc/csPdfRef.html
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chilkatsoft.com/refdoc/csPdfRef.htmlCertificate
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dhl.com/global-en/home/tracking.html?submit=1&tracking-id=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.etsy.com/api/v3/ajax/bespoke/shop/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fedexuk.net/accounts/QuickTrack.aspx?consignment=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fruugo.co.uk/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fruugo.com/orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fruugo.com/orders/confirm5retailer.fruugo.com/secure
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fruugo.com/orders/download?from=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fruugo.com/orders/ship
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/s2/favicons?domain_url=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/s2/favicons?sz=24&domain=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/tokenMissing
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.myhermes.co.uk/customer/authorize?response_type=code&client_id=
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.parcel2go.com/auth/connect/tokenIhttps://www.parcel2go.com/api/ordersIhttps://www.parcel
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.parcelforce.com/portal/pw/track?trackNumber=khttp://www.royalmail.com/portal/rm/track?tr
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.trade-tariff.service.gov.uk/trade-tariff/sections
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ukmail.com/applications/ConsignmentStatus/ConsignmentSearchResults.aspx?SearchType=Consi
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wix.com/installer/install
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wixapis.com/oauth/access
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wixapis.com/stores/v2/orders/
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwcie.ups.com/ship/v1/shipments
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmlpi-ea.dhl.com/XMLShippingServlet
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.00000000026E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.00000000026E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmlpitest-ea.dhl.com/XMLShippingServlet

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

0_2_00404EB9

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcredist_2010_x86[1].exe entropy: 7.99881338707	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe entropy: 7.99881338707	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Lib4000[1].exe entropy: 7.99994585553	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe entropy: 7.99994585553	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Font\arialn.z entropy: 7.9953119467	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Font\arialnb.z entropy: 7.99509933791	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\CEF1120[1].exe entropy: 7.9999957754	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe entropy: 7.9999957754	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcredist_2019_x86[1].exe entropy: 7.99525000453	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe entropy: 7.99525000453	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\vc_red.cab entropy: 7.9997557845	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\cab54A5CABBE7274D8A22EB58060AAB7623 entropy: 7.99842059934	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\cabB3E1576D1FEFBB979E13B1A5379E0B16 entropy: 7.99884941318	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\cab54A5CABBE7274D8A22EB58060AAB7623 entropy: 7.99780544364	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\cabB3E1576D1FEFBB979E13B1A5379E0B16 entropy: 7.99788127212	Jump to dropped file
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\.unverified\cab54A5CABBE7274D8A22EB58060AAB7623 (copy) entropy: 7.99780544364	Jump to dropped file
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{46E11E7F-01E1-44D0-BB86-C67342D253DD}v14.32.31326\packages\vcRuntimeMinimum_x86\cab1.cab (copy) entropy: 7.99780544364	Jump to dropped file
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\.unverified\cabB3E1576D1FEFBB979E13B1A5379E0B16 (copy) entropy: 7.99788127212	Jump to dropped file
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{A250E750-DB3F-40C1-8460-8EF77C7582DA}v14.32.31326\packages\vcRuntimeAdditional_x86\cab1.cab (copy) entropy: 7.99788127212	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\resources.pak entropy: 7.99658451984	Jump to dropped file

System Summary

PE file has a writeable .text section

Source: FindProcDLL.dll.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01003972 OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary,	2_2_01003972
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_0100358B NtOpenProcessToken,NtAdjustPrivilegesToken,NtClose,NtClose,	2_2_0100358B
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_010034F4 NtOpenProcessToken,NtAdjustPrivilegesToken,NtClose,NtClose,	2_2_010034F4

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe

Code function: 2_2_01002B13: GetDriveTypeA,CreateFileA,DeviceIoControl,CloseHandle,

2_2_01002B13

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,	0_2_004030CB
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01003972 OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary,	2_2_01003972
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C164E0D ExitWindowsEx,	3_2_6C164E0D

Creates files inside the system directory

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\3 of 9 Narrow ASCII.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\3 of 9 Narrow.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\3 of 9 Wide ASCII.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\3 of 9 Wide.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\Consolas.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\Segoe UI Bold Italic.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\Segoe UI Bold.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\Segoe UI Italic.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\Segoe UI.ttf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Windows\Fonts\SourceCodePro.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\6c3c9e.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{196BB40D-1578-3D01-B289-BEFC77A11A1E}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4103.tmp
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\atl100.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100chs.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100cht.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100deu.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100enu.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100esn.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100fra.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100ita.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100jpn.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100kor.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100rus.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100u.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfcm100.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfcm100u.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\vcomp100.dll
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\6c3ca1.msi
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\6c3ca1.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80db.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI831D.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcr110.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vccorlib110.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80de.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80de.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80df.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI886D.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp110.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp110.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80e2.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80e2.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80e3.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{46E11E7F-01E1-44D0-BB86-C67342D253DD}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID43C.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\concrt140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_1.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_2.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_atomic_wait.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_codecvt_ids.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vccorlib140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vcruntime140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80e7.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80e7.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80e8.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{A250E750-DB3F-40C1-8460-8EF77C7582DA}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDE7E.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80ef.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c80ef.msi

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\6c3ca1.msi

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_004046CA	0_2_004046CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_00405FA8	0_2_00405FA8
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01008906	2_2_01008906
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_0100911E	2_2_0100911E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01009558	2_2_01009558
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01008286	2_2_01008286
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_0100859D	2_2_0100859D
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_01008CC5	2_2_01008CC5
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C17E49E	3_2_6C17E49E
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C199F12	3_2_6C199F12
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C19A9BE	3_2_6C19A9BE
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C19A468	3_2_6C19A468
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C19C65E	3_2_6C19C65E
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C13F790	3_2_6C13F790
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C19C00B	3_2_6C19C00B
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C19B09F	3_2_6C19B09F
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C74D064	3_2_6C74D064
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C74D81C	3_2_6C74D81C
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C739A50	3_2_6C739A50
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F2A2FD	5_2_00F2A2FD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F29AD1	5_2_00F29AD1
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F29228	5_2_00F29228
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F296FD	5_2_00F296FD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F27ED2	5_2_00F27ED2
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F29EDD	5_2_00F29EDD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F2A2FD	6_2_00F2A2FD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F29AD1	6_2_00F29AD1
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F29228	6_2_00F29228
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F296FD	6_2_00F296FD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F27ED2	6_2_00F27ED2
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F29EDD	6_2_00F29EDD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0C0FA	11_2_00D0C0FA
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CE6184	11_2_00CE6184
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1022D	11_2_00D1022D
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1A3B0	11_2_00D1A3B0
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D10662	11_2_00D10662
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CEA7EF	11_2_00CEA7EF
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1A85E	11_2_00D1A85E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CF69CC	11_2_00CF69CC
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0F919	11_2_00D0F919
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D10A97	11_2_00D10A97
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D12B21	11_2_00D12B21
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D12D50	11_2_00D12D50
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1ED4C	11_2_00D1ED4C
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0FE15	11_2_00D0FE15
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BF69CC	12_2_00BF69CC
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0C0FA	12_2_00C0C0FA
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BE6184	12_2_00BE6184
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1022D	12_2_00C1022D
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1A3B0	12_2_00C1A3B0
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C10662	12_2_00C10662
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BEA7EF	12_2_00BEA7EF
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1A85E	12_2_00C1A85E
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0F919	12_2_00C0F919
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C10A97	12_2_00C10A97
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C12B21	12_2_00C12B21
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1ED4C	12_2_00C1ED4C
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C12D50	12_2_00C12D50
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0FE15	12_2_00C0FE15
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFC0FA	13_2_00DFC0FA
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DD6184	13_2_00DD6184
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0022D	13_2_00E0022D
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0A3B0	13_2_00E0A3B0
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E00662	13_2_00E00662
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DDA7EF	13_2_00DDA7EF
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0A85E	13_2_00E0A85E
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DE69CC	13_2_00DE69CC
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFF919	13_2_00DFF919
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E00A97	13_2_00E00A97
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E02B21	13_2_00E02B21
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0ED4C	13_2_00E0ED4C
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E02D50	13_2_00E02D50
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFFE15	13_2_00DFFE15

Enables security privileges

Source: C:\Windows\System32\SrTasks.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: String function: 00D2061A appears 34 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: String function: 00CE37D3 appears 496 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: String function: 00D231C7 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: String function: 00CE1F20 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: String function: 00D2012F appears 678 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F25D7E appears 40 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F517FA appears 1176 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F52FB6 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F54880 appears 142 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F5180E appears 878 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F25A10 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F5144A appears 70 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F54954 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: String function: 00F502DC appears 104 times
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: String function: 00BE1F20 appears 54 times
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: String function: 00C2012F appears 678 times
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: String function: 00C231C7 appears 83 times
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: String function: 00C2061A appears 34 times
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: String function: 00BE37D3 appears 496 times
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: String function: 00E131C7 appears 83 times
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: String function: 00E1061A appears 34 times
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: String function: 00DD1F20 appears 54 times
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: String function: 00DD37D3 appears 496 times
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: String function: 00E1012F appears 678 times
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: String function: 6C16833E appears 579 times
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: String function: 6C1339AD appears 43 times
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: String function: 6C188B7A appears 109 times
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: String function: 6C1685BC appears 56 times
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: String function: 6C196E1A appears 549 times

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePDFImage.dll2 vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3774513867.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameinetc.dllF vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePacking Partner Print.exe@ vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.00000000026E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameChilkatDotNet45.dll vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787976335.00000000026E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDOMView.dll@ vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [--OriginalFilename--12345678--] vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3795277743.0000000002867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findDescripcheckingForAttributerootTagDid not find rdf:RDFfirstChildTagDid not find rdf:DescriptionfirstSubChildTagcheckingNodeFailed to find matching attributerdf:aboutaddDescripFailed to find 1st child (1a)rdf:DescriptionAddSimpleIntpropValAddStructPropstructNameResourcerdf:parseTypeAddSimpleStrrdf:Bagrdf:lirdf:Altrdf:SeqAddSimpleDateAddNsMappingnsRemoveNsMappingXmp<?xml version="1.0" encoding="utf-8" ?> <x:xmpmeta xmlns:x="adobe:ns:meta/"> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> </rdf:RDF> </x:xmpmeta>NewXmpLoadFromBufferLoadAppFileGetEmbeddedGetArrayArray not found.Array not found (2).dchttp://purl.org/dc/elements/1.1/xmpPLUShttp://ns.adobe.com/xap/1.0/PLUS/MicrosoftPhotohttp://ns.microsoft.com/photo/1.0/Iptc4xmpCorehttp://iptc.org/std/Iptc4xmpCore/1.0/xmlns/exifhttp://ns.adobe.com/exif/1.0/http://ns.adobe.com/pdf/1.3/photoshophttp://ns.adobe.com/photoshop/1.0/http://ns.adobe.com/tiff/1.0/xapstRefhttp://ns.adobe.com/xap/1.0/sType/ResourceRefxapMMxmpMMhttp://ns.adobe.com/xap/1.0/mm/xapRightshttp://ns.adobe.com/xap/1.0/rights/xmpxmpBJhttp://ns.adobe.com/xap/1.0/bj/xmpTPghttp://ns.adobe.com/xap/1.0/t/pg/xmpDMhttp://ns.adobe.com/xmp/1.0/DynamicMedia/xmpRightscrshttp://ns.adobe.com/camera-rawsettings/1.0/auxhttp://ns.adobe.com/exif/1.0/aux/SaveToBufferSaveAppFileRemoveStructPropstruct not found.RemoveArrayRemoveStructRemoveSimpleRemoveAllEmbeddedRemoveEmbeddedGetSimpleDateNo prop name or attribute exists.dateTimeParsedGetSimpleStrGetStructValueFailed to find DescripStruct does not exist.Failed to get first child.Failed to get child contentGetStructPropNamesstruct does not exist.GetSimpleIntGetPropertyFailed to find XML child with prop name.AddArrayarrayTyperdf:Did not find rdf:Description. Adding one..bag<rdf:Bag>seq<rdf:Seq><rdf:Alt><rdf:li></rdf:li></rdf:Bag></rdf:Seq></rdf:Alt>writeExeToOutputwriteExeBeginSfxRuntimeSizeckExe.datFailed to get temp filename for writing EXEtempFile1Failed to save EXE housing to temp file.Set the TempDir property to a directory path where it is possible to create temp files.Failed to use custom iconiconFileckExe2.datFailed to get temp filename for writing EXE (2)tempFile2Failed to load EXE image.Proceeding without custom icon...writeExeEndFailed to find version info item in EXEcustomizeExeVersion[--CompanyName--1234567890123--]CompanyNameSelf-Extracting Archive[--FileDescription--123456789012345678901234567--]FileDecriptionChilkat Self-Extractor[--InternalName--123456789012--]InternalName[--LegalCopyright--123456789012345678901234567--]LegalCopyrightSaExtract.exe[--OriginalFilename--12345678--]OriginalFilenameChilkat Zip Self-Extractor[--ProductName--123456789012345678901234567890--]ProductNamewriteExeToOutput2Need password to write encrypted EXEFailed to write header.xmlConfigappendToSimpleArchiveFailed to append Nth file/directory to EXE.fileOrDirName15.0.0VersionCreatedByWriteExeToMemoryWriteExeckZ.datFailed to get temp filename.Failed to delete existing
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3785143368.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePacking Station.exe@ vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3779329737.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePacking Partner V3.exe@ vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePacking Partner Backup.exe. vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3798348039.00000000026E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExtras.dll" vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787110956.00000000026E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExtensions.dllB vs SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: sus28.rans.troj.evad.winEXE@35/941@0/1

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C17CBBB __EH_prolog3,GetLastError,GetLastError,SetLastError,SetLastError,FormatMessageW,GetLastError,SetLastError,LocalFree,

3_2_6C17CBBB

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C164DC9 AdjustTokenPrivileges,	3_2_6C164DC9
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F2C1A4 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	5_2_00F2C1A4
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F2C1A4 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	6_2_00F2C1A4
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CE44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	11_2_00CE44E9
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BE44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	12_2_00BE44E9
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DD44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	13_2_00DD44E9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Code function: 0_2_004041CD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004041CD

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C155238 CreateToolhelp32Snapshot,_memset,Process32FirstW,Process32NextW,CloseHandle,

3_2_6C155238

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C1878DF LoadResource,LockResource,SizeofResource,

3_2_6C1878DF

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C15E9B4 ChangeServiceConfigW,

3_2_6C15E9B4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

File created: C:\Program Files (x86)\Packing Partner V4

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcredist_2010_x86[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\VC_Redist_SetupMutex

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

File created: C:\Users\user\AppData\Local\Temp\nswEDC2.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: cabinet.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: msi.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: version.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: wininet.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: comres.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: clbcatq.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: msasn1.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: crypt32.dll	11_2_00CE1070
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Command line argument: feclient.dll	11_2_00CE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: cabinet.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: msi.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: version.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: wininet.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: comres.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: clbcatq.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: msasn1.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: crypt32.dll	12_2_00BE1070
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Command line argument: feclient.dll	12_2_00BE1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: cabinet.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: msi.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: version.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: wininet.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: comres.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: clbcatq.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: msasn1.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: crypt32.dll	13_2_00DD1070
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Command line argument: feclient.dll	13_2_00DD1070

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Setup.exe	String found in binary or memory: Pre-Installation Warnings:
Source: vcredist_2012_x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: vcredist_2012_x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: vcredist_2019_x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: vcredist_2019_x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe /q /norestart
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Process created: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe c:\14cf0ab3e4a0f130fd99e986a4\Setup.exe /q /norestart
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe /q /norestart
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe "C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe" /q /norestart -burn.unelevated BurnPipe.{CA42E693-A6A8-4B3E-8B47-BDA43C78E551} {5B7172FD-6E81-465C-B515-21DA173C4F62} 2820
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe /q /norestart
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Process created: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe "C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe" -burn.filehandle.attached=700 -burn.filehandle.self=748 /q /norestart
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe "C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{F320CDF8-E401-4EF5-9F1B-EDA3611F5688} {5D0F0C66-332F-41E0-A1E1-6C2057523AF5} 7668
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown	Process created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20240523234124.log" /quiet /norestart ignored /burn.runonce
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Process created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /burn.log.append C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20240523234124.log /quiet /norestart ignored
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe "C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe" /S /D=C:\Program Files (x86)\Packing Partner V4
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Process created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" -q -burn.elevated BurnPipe.{A2C4E75F-C172-4AD8-B169-B7BE702B5646} {D3660430-5913-4C20-9C4C-44BF2099DAC6} 5612
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe"
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe "C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe" /S /D=C:\Program Files (x86)\Packing Partner V4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe /q /norestart	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe /q /norestart	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe /q /norestart	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe "C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe" /S /D=C:\Program Files (x86)\Packing Partner V4	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process created: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe "C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe" /S /D=C:\Program Files (x86)\Packing Partner V4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Process created: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe c:\14cf0ab3e4a0f130fd99e986a4\Setup.exe /q /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process created: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe "C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe" /q /norestart -burn.unelevated BurnPipe.{CA42E693-A6A8-4B3E-8B47-BDA43C78E551} {5B7172FD-6E81-465C-B515-21DA173C4F62} 2820	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Process created: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe "C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe" -burn.filehandle.attached=700 -burn.filehandle.self=748 /q /norestart
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe "C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{F320CDF8-E401-4EF5-9F1B-EDA3611F5688} {5D0F0C66-332F-41E0-A1E1-6C2057523AF5} 7668
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Process created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /burn.log.append C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20240523234124.log /quiet /norestart ignored
Source: C:\Windows\System32\svchost.exe	Process created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" -q -burn.elevated BurnPipe.{A2C4E75F-C172-4AD8-B169-B7BE702B5646} {D3660430-5913-4C20-9C4C-44BF2099DAC6} 5612
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe"
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: setupengine.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: sqmapi.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: usoapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sxproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Section loaded: feclient.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: acgenral.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: winmm.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: samcli.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: msacm32.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: version.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: userenv.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: urlmon.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: mpr.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: sspicli.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: iertutil.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: srvcli.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: netutils.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: aclayers.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: sfc.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: msi.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: cabinet.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: msxml3.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: wldp.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: feclient.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: msimg32.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: explorerframe.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: riched20.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: usp10.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: msls31.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: textshaping.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: propsys.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: edputil.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: appresolver.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: slc.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: sppc.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: acgenral.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: winmm.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: samcli.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: msacm32.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: version.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: userenv.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: urlmon.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: mpr.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: sspicli.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: iertutil.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: srvcli.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: netutils.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: aclayers.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: sfc.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: msi.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: cabinet.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: msxml3.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: wldp.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: srclient.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: spp.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: powrprof.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: vssapi.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: vsstrace.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: umpdc.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: usoapi.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: sxproxy.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: feclient.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: srpapi.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: netapi32.dll
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Section loaded: coreuicomponents.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

File written: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\ioSpecial.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Automated click: I Agree
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Window detected: Number of UI elements: 19
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Window detected: Number of UI elements: 23
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Window detected: Number of UI elements: 19
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Window detected: Number of UI elements: 23

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Static file information: File size 9104160 > 1048576

Source: C:\Windows\System32\msiexec.exe

File opened: c:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vcredist_2019_x86.exe, 0000000B.00000000.2360173155.0000000000D2B000.00000002.00000001.01000000.00000016.sdmp, vcredist_2019_x86.exe, 0000000B.00000002.2694086254.0000000000D2B000.00000002.00000001.01000000.00000016.sdmp, vcredist_2019_x86.exe, 0000000C.00000002.2687800977.0000000000C2B000.00000002.00000001.01000000.00000017.sdmp, vcredist_2019_x86.exe, 0000000C.00000000.2375551745.0000000000C2B000.00000002.00000001.01000000.00000017.sdmp, VC_redist.x86.exe, 0000000D.00000003.2615914520.0000000000C9F000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x86.exe, 0000000D.00000000.2388022890.0000000000E1B000.00000002.00000001.01000000.00000019.sdmp, VC_redist.x86.exe, 0000000D.00000002.2681889263.0000000000E1B000.00000002.00000001.01000000.00000019.sdmp, VC_redist.x86.exe, 0000001C.00000000.2730362455.000000000021B000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: sfxcab.pdb source: vcredist_2010_x86.exe, vcredist_2010_x86.exe, 00000002.00000000.2167645378.0000000001002000.00000020.00000001.01000000.0000000B.sdmp, vcredist_2010_x86.exe, 00000002.00000002.2362560317.0000000001002000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\wixstdba.pdb source: vcredist_2012_x86.exe, 00000005.00000003.2228737514.00000000015F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sqmapi.pdb source: Setup.exe, Setup.exe, 00000003.00000002.2335828733.000000006C731000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: SetupEngine.pdb source: Setup.exe, Setup.exe, 00000003.00000002.2323919965.000000006C111000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: P:\Public\Apps\_.NET Projects\AiMCo Packing Partner\Backup\obj\x86\Release\Packing Partner Backup.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3780834175.00000000026EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\DevWin10\Projects\_.NET Projects\Aimco DOMView\V112\PDFImage\obj\Release\PDFImage.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3797279832.00000000026E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\wixstdba.pdb\ source: vcredist_2012_x86.exe, 00000005.00000003.2228737514.00000000015F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbtermediate.txt source: SrTasks.exe, 0000000E.00000003.2717348435.000001BC7368C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\x86\burn.pdb source: vcredist_2012_x86.exe, vcredist_2012_x86.exe, 00000006.00000000.2229175317.0000000000F21000.00000020.00000001.01000000.00000011.sdmp, vcredist_2012_x86.exe, 00000006.00000002.2446605237.0000000000F21000.00000020.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\DevWin10\Projects\_.NET Projects\AiMCo Packing Partner\Packing Partner V4.0\ExtPrint\obj\Release\Packing Partner Print.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3781331778.00000000026ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\DevWin10\Projects\_.NET Projects\AiMCo Packing Partner\Packing Partner V4.0\Extension\obj\x86\Release\Extensions.pdb source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000003.3787110956.00000000026E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBxml4 source: SrTasks.exe, 0000000E.00000003.2717348435.000001BC7368C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Setup.pdb source: Setup.exe, Setup.exe, 00000003.00000002.2279976924.0000000000A01000.00000020.00000001.01000000.0000000C.sdmp, Setup.exe, 00000003.00000000.2191004929.0000000000A01000.00000020.00000001.01000000.0000000C.sdmp

Data Obfuscation

Binary contains a suspicious time stamp

Source: Packing Partner Backup.exe.0.dr

Static PE information: 0x888D7616 [Wed Aug 6 21:09:42 2042 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Code function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405CFF

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_10002A10 push eax; ret	0_2_10002A3E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_010065F3 push ecx; ret	2_2_01006603
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_00A03DF5 push ecx; ret	3_2_00A03E08
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C196F06 push ecx; ret	3_2_6C196F19
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C18E265 push ecx; ret	3_2_6C18E278
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C734821 push ecx; ret	3_2_6C734834
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C731B89 push ecx; ret	3_2_6C731B9C
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F25A55 push ecx; ret	5_2_00F25A68
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F25A55 push ecx; ret	6_2_00F25A68
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0E876 push ecx; ret	11_2_00D0E889
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0E876 push ecx; ret	12_2_00C0E889
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFE876 push ecx; ret	13_2_00DFE889

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob			Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob			Jump to behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vccorlib110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6c80e6.rbf (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\2052\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\Sharp3DBinPacking.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1042\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcr110.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100deu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Lib4000[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1033\SetupResources.dll	Jump to dropped file
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\HelpViewer.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcredist_2019_x86[1].exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp110.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6c80eb.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\HidSharp.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.WinForms.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1049\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\Microsoft.WindowsAPICodePack.Shell.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\Microsoft.WindowsAPICodePack.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\3082\SetupResources.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\Restart.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcredist_2012_x86[1].exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\MessagingToolkit.Barcode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100enu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\CEF1120[1].exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\PDFLibNet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Packing Partner Print.exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\ScintillaNET.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\x86\liblept172.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\ExcelDataReader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vccorlib140.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\DOMView.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\atl100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100chs.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\FlatTabControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\INetC.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.Core.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\Microsoft.mshtml.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Packing Partner Backup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1040\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100ita.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\MdiTabControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\SetupUi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\libcef.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\DOMView.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1028\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\SetupEngine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Packing Station.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\DOMView.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\x86\libtesseract304.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.Core.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\1031\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6c80ec.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\concrt140.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\chrome_elf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp110.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\DiffPlex.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcredist_2010_x86[1].exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\FindProcDLL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6c80ed.rbf (copy)	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.BrowserSubprocess.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\PDFImage.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6c80ee.rbf (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.be\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\System.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm100u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Extras.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\ChilkatDotNet45.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Packing Partner V3.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File created: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100kor.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: C:\14cf0ab3e4a0f130fd99e986a4\sqmapi.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\Tesseract.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100jpn.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	File created: C:\Program Files (x86)\Packing Partner V4\SQLite.Interop.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vccorlib110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\atl100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcr110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm100u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_1.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86			Jump to dropped file

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240523_234123140-MSI_vc_red.msi.txt

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	File created: c:\14cf0ab3e4a0f130fd99e986a4\1049\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1028\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1029\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1031\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1036\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1040\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1041\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1042\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1045\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1046\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1049\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\1055\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\2052\license.rtf
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	File created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\3082\license.rtf
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\LICENSE.txt
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	File created: C:\Program Files (x86)\Packing Partner V4\CEF\README.txt

Boot Survival

Creates or modifies windows services

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\VSSetup

Jump to behavior

Modifies existing windows services

Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C15F721 StartServiceW,

3_2_6C15F721

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	Jump to behavior
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vccorlib110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6c80e6.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\2052\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Sharp3DBinPacking.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1042\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\msvcr110.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcomp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100deu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1033\SetupResources.dll	Jump to dropped file
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcomp110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6c80eb.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\HidSharp.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.WinForms.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1049\SetupResources.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Microsoft.WindowsAPICodePack.Shell.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Microsoft.WindowsAPICodePack.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\3082\SetupResources.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Restart.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\MessagingToolkit.Barcode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\PDFLibNet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Packing Partner Print.exe	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\ScintillaNET.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_1.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\x86\liblept172.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\ExcelDataReader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\DOMView.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Dropped PE file which has not been started: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\atl100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100chs.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\FlatTabControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\INetC.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.Core.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Microsoft.mshtml.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Packing Partner Backup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1040\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100ita.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\MdiTabControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\SetupUi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\libcef.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\DOMView.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1028\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Packing Station.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\DOMView.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\x86\libtesseract304.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.Core.Runtime.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Dropped PE file which has not been started: C:\14cf0ab3e4a0f130fd99e986a4\1031\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6c80ec.rbf (copy)	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\chrome_elf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcamp110.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\DiffPlex.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\FindProcDLL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6c80ed.rbf (copy)	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\CefSharp.BrowserSubprocess.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\PDFImage.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\CEF1120.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\CEF\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6c80ee.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\System.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Extras.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\ChilkatDotNet45.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Packing Partner V3.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\F7E11E641E100D44BB686C37242D35DD\14.32.31326\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100kor.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\Tesseract.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100jpn.dll	Jump to dropped file
Source: C:\Program Files (x86)\Packing Partner V4\Library\Lib4000.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Packing Partner V4\SQLite.Interop.dll	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evasive API call chain: GetLocalTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\SrTasks.exe TID: 6052

Thread sleep time: -90000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\SrTasks.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00D1FE5Dh	11_2_00D1FDC2
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D1FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00D1FE56h	11_2_00D1FDC2
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00C1FE5Dh	12_2_00C1FDC2
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C1FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00C1FE56h	12_2_00C1FDC2
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00E0FE5Dh	13_2_00E0FDC2
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E0FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00E0FE56h	13_2_00E0FDC2

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	File Volume queried: C:\Windows FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405302
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_00405CD8 FindFirstFileA,FindClose,	0_2_00405CD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_010046B9 SendDlgItemMessageA,strstr,SetFileAttributesA,GetLastError,CopyFileA,SendDlgItemMessageA,strstr,SetFileAttributesA,CopyFileA,GetLastError,CopyFileA,SetFileAttributesA,SendDlgItemMessageA,_strlwr,GetLastError,MoveFileA,MoveFileA,_strlwr,strstr,FindFirstFileA,strrchr,SendDlgItemMessageA,DeleteFileA,Sleep,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,strchr,strrchr,SendDlgItemMessageA,	2_2_010046B9
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C145B82 __EH_prolog3_GS,_memset,FindFirstFileW,FindNextFileW,FindClose,	3_2_6C145B82
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C14410A FindFirstFileW,GetFullPathNameW,SetLastError,_wcsrchr,_wcsrchr,	3_2_6C14410A
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C748097 memset,memset,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,	3_2_6C748097
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C734281 memset,EnterCriticalSection,FindFirstFileW,LeaveCriticalSection,ctype,FindNextFileW,FindClose,ResetEvent,CreateThread,CloseHandle,GetLastError,	3_2_6C734281
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F55B68 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	5_2_00F55B68
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F54E54 _memset,FindFirstFileW,FindClose,	5_2_00F54E54
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F42146 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	5_2_00F42146
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F42146 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	6_2_00F42146
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F55B68 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	6_2_00F55B68
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F54E54 _memset,FindFirstFileW,FindClose,	6_2_00F54E54
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CE3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	11_2_00CE3BC3
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D24315 FindFirstFileW,FindClose,	11_2_00D24315
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00CF993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	11_2_00CF993E
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D17A87 FindFirstFileExW,	11_2_00D17A87
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C24315 FindFirstFileW,FindClose,	12_2_00C24315
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BF993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	12_2_00BF993E
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00BE3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	12_2_00BE3BC3
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C17A87 FindFirstFileExW,	12_2_00C17A87
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E14315 FindFirstFileW,FindClose,	13_2_00E14315
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DE993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	13_2_00DE993E
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DD3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	13_2_00DD3BC3
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E07A87 FindFirstFileExW,	13_2_00E07A87

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C170C91 __EH_prolog3_GS,GetModuleHandleW,GetLastError,GetSystemInfo,GetLastError,GetLastError,GetLastError,_memset,GetLastError,

3_2_6C170C91

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\INetC.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	File opened: C:\Users\user\AppData\Local\Temp\nshEE02.tmp\	Jump to behavior

Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_en-us_168291f09487ebd5
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2ce_0e0a89147be645a1
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66b35a980
Source: SrTasks.exe, 0000000E.00000003.2750707700.000001BC71713000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msft_neteventvmnetworkadatper.format.ps1xmlLMEMX
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b281413392089cd4d04
Source: SrTasks.exe, 0000000E.00000003.2736446656.000001BC71291000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msft_neteventvmnetworkadatper.cdxmlLMEMHW
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.19041.1_en-us_d314f4eb3925c8b55
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_299ac5951a49c2de3.
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.19041.1_none_fc5d2e67adee5611_f14a4bbefe65ac87}
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955c
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580
Source: SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe, 00000000.00000002.3889698561.00000000006A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.19041.1_none_d7dfb451bd621127x
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d589a67
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_en-us_369e8b635061fdb3:
Source: SrTasks.exe, 0000000E.00000003.2718602635.000001BC73817000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMCI~1.INFF9-4731-9e04-7653f139d464}.catalogitem
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_50c23e4c771f203aY
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0cC
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.19041.1_none_34b87765e20dcc15
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ca4b4247e291981o
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.19041.1_none_25a2ff96aac272dd
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.19041.1_none_2246f2e6f0441379dd-
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79b542f445b28a5c
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13d8I
Source: SrTasks.exe, 0000000E.00000003.2736446656.000001BC71291000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmci.sysLMEM
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc0cba9450a52790
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.19041.1_none_43a9017744e82ca8e5>
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-gb_7788797720472f2d
Source: SrTasks.exe, 0000000E.00000003.2573591813.000001BC70022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processset.psd122\\?\Volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\FFwindows\syswow64\windowspowershell\v1.0\modules\neteventpacketcapture$$msft_neteventvmnetworkadatper.cdxml22\\?\Volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\66windows\syswow64\windowspowershell\v1.0\modules\iscsi
Source: SrTasks.exe, 0000000E.00000003.2573591813.000001BC70022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processset.psd122\\?\Volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\FFwindows\system32\windowspowershell\v1.0\modules\neteventpacketcapture$$msft_neteventvmnetworkadatper.cdxml22\\?\Volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\66windows\system32\windowspowershell\v1.0\modules\iscsi
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_ddaeabc80a3525d6
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.19041.1_none_50b60ffc14c70fb2
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.19041.1_en-us_c2edb07518552135b
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd3f4751718744
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.19041.1_en-us_8e6d1518accc0bf5
Source: SrTasks.exe, 0000000E.00000003.2718602635.000001BC73817000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: SrTasks.exe, 0000000E.00000003.2573591813.000001BC70022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows\system32\driversvmci.sys22\\?\Volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-gb_71570953289cd4d0X
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_0ccb9f4751718744
Source: vcredist_2019_x86.exe, 0000000C.00000003.2685014111.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
Source: SrTasks.exe, 0000000E.00000003.2554641647.000001BC6DC2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e69638
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_en-us_4373d0692dcd3a06?
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87*
Source: SrTasks.exe, 0000000E.00000003.2726429598.000001BC723C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmci.inf]
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c14142494c595902f8
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.19041.1_en-us_5ee8ada67d246bdam
Source: SrTasks.exe, 0000000E.00000003.2726429598.000001BC723C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmci.cat\
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4dZ
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479bc2edb075185521350
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.19041.1_none_b6d8bfc73f89cc962e6f044137994
Source: SrTasks.exe, 0000000E.00000003.2750707700.000001BC71713000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msft_neteventvmnetworkadatper.format.ps1xmlLMEMX`O"q
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vid.resources_31bf3856ad364e35_10.0.19041.1_en-us_447494df1222bcd8+
Source: SrTasks.exe, 0000000E.00000003.2736446656.000001BC71291000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msft_neteventvmnetworkadatper.cdxmlLMEMHX_
Source: SrTasks.exe, 0000000E.00000003.2726429598.000001BC723C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmci.sysb
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a985
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8
Source: SrTasks.exe, 0000000E.00000003.2685542465.000001BC71BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	API call chain: ExitProcess graph end node
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_00A02BA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_00A02BA5

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C18C78B VirtualProtect ?,-00000001,00000104,?

3_2_6C18C78B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Code function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405CFF

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D14812 mov eax, dword ptr fs:[00000030h]	11_2_00D14812
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C14812 mov eax, dword ptr fs:[00000030h]	12_2_00C14812
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E04812 mov eax, dword ptr fs:[00000030h]	13_2_00E04812

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe

2_2_01005899

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe	Code function: 2_2_010062FF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_010062FF
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_00A02BA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00A02BA5
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_00A045BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00A045BE
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C1676A7 __EH_prolog3,GetModuleHandleW,GetProcAddress,SetUnhandledExceptionFilter,GetCommandLineW,	3_2_6C1676A7
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C18EB6A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C18EB6A
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C18B091 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C18B091
Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe	Code function: 3_2_6C73171F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C73171F
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F28498 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00F28498
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F285FB __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00F285FB
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F25E9A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00F25E9A
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 5_2_00F24797 SetUnhandledExceptionFilter,	5_2_00F24797
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F28498 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00F28498
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F285FB __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00F285FB
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F25E9A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00F25E9A
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: 6_2_00F24797 SetUnhandledExceptionFilter,	6_2_00F24797
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00D0E188
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00D0E625
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D0E773 SetUnhandledExceptionFilter,	11_2_00D0E773
Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Code function: 11_2_00D13BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00D13BB0
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00C0E188
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00C0E625
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C0E773 SetUnhandledExceptionFilter,	12_2_00C0E773
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Code function: 12_2_00C13BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00C13BB0
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00DFE188
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00DFE625
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00DFE773 SetUnhandledExceptionFilter,	13_2_00DFE773
Source: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe	Code function: 13_2_00E03BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00E03BB0

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe	Process created: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe "C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe" -burn.filehandle.attached=700 -burn.filehandle.self=748 /q /norestart
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Process created: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe "C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{F320CDF8-E401-4EF5-9F1B-EDA3611F5688} {5D0F0C66-332F-41E0-A1E1-6C2057523AF5} 7668
Source: C:\Windows\System32\svchost.exe	Process created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" -q -burn.elevated BurnPipe.{A2C4E75F-C172-4AD8-B169-B7BE702B5646} {D3660430-5913-4C20-9C4C-44BF2099DAC6} 5612
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe

2_2_01004F6B

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe

Code function: 2_2_01003D02 AllocateAndInitializeSid,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLengthSid,GetTokenInformation,GetLengthSid,

2_2_01003D02

Source: Setup.exe, 00000003.00000003.2223881970.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000003.2223690287.00000000014A1000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.2288624755.000000000144D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managert
Source: Setup.exe, 00000003.00000003.2224000503.0000000001469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [1028] [explorer.exe] [Program Manager] [Visible]lled1

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\vcredist_2019_x86.exe

Code function: 11_2_00D0E9A7 cpuid

11_2_00D0E9A7

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: GetLocaleInfoA,		5_2_00F2B6BD
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Code function: GetLocaleInfoA,		6_2_00F2B6BD

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Temp\{564A0345-3E27-4D7C-BAD6-487E44262AFC}\.cr\vcredist_2019_x86.exe	Queries volume information: C:\Windows\Temp\{CFB84EDF-86E6-41E3-8D30-2468A68A0171}\.ba\logo.png VolumeInformation
Source: C:\Windows\System32\SrTasks.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png VolumeInformation
Source: C:\ProgramData\Package Cache\{817e21c1-6b3a-4bc1-8c49-67e4e1887b3a}\VC_redist.x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A9914FEB-2B11-4285-BCDA-3E3AB9073948}\.ba\logo.png VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe

Code function: 5_2_00F2D730 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,CreateNamedPipeW,GetLastError,

5_2_00F2D730

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe

2_2_01004F6B

Source: C:\Users\user\AppData\Local\Temp\vcredist_2012_x86.exe

Code function: 5_2_00F34D0C GetUserNameW,GetLastError,

5_2_00F34D0C

Source: C:\14cf0ab3e4a0f130fd99e986a4\Setup.exe

Code function: 3_2_6C167B40 __EH_prolog3_GS,GetCommandLineW,_memset,GetTimeZoneInformation,GetThreadLocale,

3_2_6C167B40

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Code function: 0_2_004059FF GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_004059FF

Source: C:\Users\user\AppData\Local\Temp\vcredist_2010_x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	Jump to behavior

ID:	1446958
Product:	CloudBasic
Start time:	05:40:14
Start date:	24.05.2024
Sample:	SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3b384a3b2b0f5050e1a558d3142fb2bf
SHA1:	83993ad0c2e5761113949855f1c2dc26db367536
SHA256:	0566cddbc7c0c84c721964f61e7816f2adf558b1dc455a97ca40f1ed73ffc256
Filetype:	Win32 Executable (generic) a (10002005/4) 92.16%

Windows Analysis Report SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Cryptography

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
SecuriteInfo.com.Trojan.MSIL.Krypt.13987.3473.exe