Edit tour

Windows Analysis Report
installcriptocns.exe

Overview

General Information

Sample name:	installcriptocns.exe
Analysis ID:	1531119
MD5:	100bea48a4b460d6ece41e5d2e4606ff
SHA1:	82baeb342027198331c05f5cd20fb5b9f27591b9
SHA256:	e756c94d07706aab45372a01e07c642ab4a8c1f011bd5895c1df6569c64740e2
Infos:

Detection

Score:	30
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64_ra

installcriptocns.exe (PID: 6684 cmdline: "C:\Users\user\Desktop\installcriptocns.exe" MD5: 100BEA48A4B460D6ECE41E5D2E4606FF)

installcriptocns.exe (PID: 5476 cmdline: "C:\Users\user\Desktop\installcriptocns.exe" --rerunningWithoutUAC MD5: 100BEA48A4B460D6ECE41E5D2E4606FF)

Update.exe (PID: 6908 cmdline: "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC MD5: A560BAD9E373EA5223792D60BEDE2B13)

squirrel.exe (PID: 7016 cmdline: "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\Squirrel.exe" --updateSelf=C:\Users\user\AppData\Local\SquirrelTemp\Update.exe MD5: 6FCBE10724D6C767002A845C0BBE1139)

criptocns.exe (PID: 6580 cmdline: "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --squirrel-install 1.1.1 MD5: EAB112A35B65CA5236B6CFD227875F1F)

criptocns.exe (PID: 6196 cmdline: "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --squirrel-firstrun MD5: EAB112A35B65CA5236B6CFD227875F1F)

criptocns.exe (PID: 6972 cmdline: "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\criptocns" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1656,i,17898378316754652978,529011506488449579,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 MD5: EAB112A35B65CA5236B6CFD227875F1F)

criptocns.exe (PID: 1940 cmdline: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice/service.js "--log={\"path\":\"C:\\Users\\user\\.criptocns\",\"fname\":\"criptocns-n.log\",\"maxSize\":2048,\"rotate\":5,\"level\":1}" "--server={\"port\":9171,\"maxAge\":1800,\"trustedOrigins\":{\"warning\":true,\"origins\":[]}}" --service=CriptoCNS MD5: EAB112A35B65CA5236B6CFD227875F1F)

cmd.exe (PID: 2128 cmdline: C:\Windows\system32\cmd.exe /d /s /c "hash kdialog 2>/dev/null" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2408 cmdline: C:\Windows\system32\cmd.exe /d /s /c "osascript -e 'id of application "kdialog"' 2>&1>/dev/null" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2628 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where kdialog" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 6256 cmdline: where kdialog MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

cmd.exe (PID: 4200 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where kdialog.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 4368 cmdline: where kdialog.exe MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

cmd.exe (PID: 4404 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where.exe kdialog" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 2916 cmdline: where.exe kdialog MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

cmd.exe (PID: 5088 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where.exe kdialog.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 5124 cmdline: where.exe kdialog.exe MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

cmd.exe (PID: 4016 cmdline: C:\Windows\system32\cmd.exe /d /s /c "hash zenity 2>/dev/null" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 980 cmdline: C:\Windows\system32\cmd.exe /d /s /c "osascript -e 'id of application "zenity"' 2>&1>/dev/null" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5652 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where zenity" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 400 cmdline: where zenity MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

cmd.exe (PID: 5996 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where zenity.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 6700 cmdline: where zenity.exe MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

cmd.exe (PID: 7120 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where.exe zenity" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 4892 cmdline: where.exe zenity MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

cmd.exe (PID: 408 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where.exe zenity.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 7124 cmdline: where.exe zenity.exe MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

cmd.exe (PID: 4696 cmdline: C:\Windows\system32\cmd.exe /d /s /c "hash yad 2>/dev/null" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6468 cmdline: C:\Windows\system32\cmd.exe /d /s /c "osascript -e 'id of application "yad"' 2>&1>/dev/null" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 444 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where yad" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 2400 cmdline: where yad MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

cmd.exe (PID: 3436 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where yad.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 2036 cmdline: where yad.exe MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

cmd.exe (PID: 1468 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where.exe yad" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 5488 cmdline: where.exe yad MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

cmd.exe (PID: 6232 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where.exe yad.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 4364 cmdline: where.exe yad.exe MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

criptocns.exe (PID: 1272 cmdline: "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\criptocns" --mojo-platform-channel-handle=2012 --field-trial-handle=1656,i,17898378316754652978,529011506488449579,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 MD5: EAB112A35B65CA5236B6CFD227875F1F)

explorer.exe (PID: 4380 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

criptocns.exe (PID: 5692 cmdline: "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Roaming\criptocns" --app-user-model-id=com.squirrel.CriptoCNS.criptocns --app-path="C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app" --no-sandbox --no-zygote --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --launch-time-ticks=4564869468 --mojo-platform-channel-handle=2308 --field-trial-handle=1656,i,17898378316754652978,529011506488449579,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1 MD5: EAB112A35B65CA5236B6CFD227875F1F)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\CriptoCNS\Update.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: installcriptocns.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CriptoCNS

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

Jump to behavior

Source: installcriptocns.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: System.pdbF source: Update.exe, 0000000A.00000002.2299747007.0000000022093000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netstandard.pdb.mdb source: Update.exe, 0000000A.00000000.1303554849.0000000000452000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 0000000A.00000002.2254208604.000000001B6D0000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 0000000A.00000002.2243154286.0000000012951000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: Update.exe, 0000000A.00000002.2301545150.00000000220A7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: Update.exe, 0000000A.00000002.2301545150.00000000220A7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Update.exe, 0000000A.00000002.2294425478.0000000021B86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: electron.exe.pdb source: criptocns.exe, 0000000F.00000000.2074063248.00007FF74C359000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\Setup.pdb source: installcriptocns.exe, 00000000.00000000.1176549095.000000000057F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Update.exe, 0000000A.00000002.2295336873.0000000021BC3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: Update.exe, 0000000A.00000002.2286850282.000000001FE4F000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 0000000A.00000002.2299747007.0000000022093000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	File opened: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	File opened: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	File opened: C:\Users\user\AppData\Local\CriptoCNS	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\CriptoCNS\Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe, type: DROPPED

Source: Joe Sandbox View

IP Address: 162.159.61.3 162.159.61.3

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: V8.MemoryHeapUsedV8.MemoryHeapCommittedmail.google.com.gmaildrive.google.com.docsplus.google.com.plusinbox.google.com.inboxcalendar.google.com.calendarwww.youtube.com.youtube.top10sina.com.cnfacebook.combaidu.comqq.comtwitter.comtaobao.comlive.com equals www.youtube.com (Youtube)
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B096000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: chttps://www.baidu.com/s?ie={inputEncoding}&wd={searchTerms}https://www.baidu.com/s?ie={inputEncoding}&word={searchTerms}https://www.baidu.com/{google:pathWildcard}/s?ie={inputEncoding}&word={searchTerms}{google:baseURL}#q={searchTerms}{google:baseURL}search#q={searchTerms}{google:baseURL}webhp#q={searchTerms}{google:baseURL}s#q={searchTerms}{google:baseURL}s?q={searchTerms}https://go.mail.ru/msearch?q={searchTerms}&{mailru:referralID}https://m.so.com/s?ie={inputEncoding}&q={searchTerms}https://m.so.com/index.php?ie={inputEncoding}&q={searchTerms}https://m.sogou.com/web/{google:pathWildcard}?ie={inputEncoding}&keyword={searchTerms}http://searchatlas.centrum.cz/?q={searchTerms}http://hladaj.atlas.sk/fulltext/?phrase={searchTerms}http://isearch.avg.com/search?q={searchTerms}http://search.avg.com/route/?q={searchTerms}&lng={language}https://isearch.avg.com/search?q={searchTerms}https://search.avg.com/route/?q={searchTerms}&lng={language}http://search.babylon.com/?q={searchTerms}http://search.conduit.com/Results.aspx?q={searchTerms}http://www.delfi.lt/paieska/?q={searchTerms}http://www.delta-search.com/?q={searchTerms}http://www1.delta-search.com/home?q={searchTerms}http://www1.delta-search.com/?q={searchTerms}http://www2.delta-search.com/home?q={searchTerms}http://www2.delta-search.com/?q={searchTerms}http://www.search.delta-search.com/home?q={searchTerms}http://www.search.delta-search.com/?q={searchTerms}http://www.yhs.delta-search.com/home?q={searchTerms}http://www.yhs.delta-search.com/?q={searchTerms}http://mixidj.delta-search.com/home?q={searchTerms}http://mixidj.delta-search.com/?q={searchTerms}http://search.goo.ne.jp/web.jsp?MT={searchTerms}&IE={inputEncoding}http://search.goo.ne.jp/sgt.jsp?MT={searchTerms}&CL=plugin&FM=json&IE={inputEncoding}http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx#q={searchTerms}http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx#q={searchTerms}http://start.iminent.com/?q={searchTerms}http://start.iminent.com/StartWeb/1033/homepage/#q={searchTerms}http://search.incredibar.com/?q={searchTerms}http://mystart.incredibar.com/?search={searchTerms}https://www.neti.ee/cgi-bin/otsing?query={searchTerms}&src=webhttps://www.neti.ee/api/suggestOS?suggestVersion=1&suggestQuery={searchTerms}https://nova.rambler.ru/search?query={searchTerms}https://nova.rambler.ru/suggest?v=3&query={searchTerms}http://www.search-results.com/web?q={searchTerms}http://search.snap.do/?q={searchTerms}http://feed.snapdo.com/?q={searchTerms}http://feed.snap.do/?q={searchTerms}http://en.softonic.com/s/{searchTerms}http://www.softonic.com/s/{searchTerms}http://www.softonic.com.br/s/{searchTerms}http://buscador.softonic.com/?q={searchTerms}http://nl.softonic.com/s/{searchTerms}https://search.softonic.com/?q={searchTerms}https://en.softonic.com/s/{searchTerms}https://www.softonic.com/s/{searchTerms}https://www.softonic.com.br/s/{searchTerms}https://buscador.softonic.com/?q={searchTerms}https://nl.softonic.com/s/{searchTer
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60619
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60618
Source: unknown	Network traffic detected: HTTP traffic on port 60618 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60620
Source: unknown	Network traffic detected: HTTP traffic on port 60619 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60620 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60621 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60621

Source: installcriptocns.exe, 00000005.00000003.1303053946.0000000005CD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdate.exe2 vs installcriptocns.exe
Source: installcriptocns.exe, 00000005.00000003.1303053946.0000000005CDF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdate.exe2 vs installcriptocns.exe

Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_03

Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: criptocns.exe, 0000000F.00000000.2074063248.00007FF74C359000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: SELECT name FROM sqlite_master WHERE type='table';
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: CREATE TABLE cookies(creation_utc INTEGER NOT NULL,host_key TEXT NOT NULL,top_frame_site_key TEXT NOT NULL,name TEXT NOT NULL,value TEXT NOT NULL,encrypted_value BLOB NOT NULL,path TEXT NOT NULL,expires_utc INTEGER NOT NULL,is_secure INTEGER NOT NULL,is_httponly INTEGER NOT NULL,last_access_utc INTEGER NOT NULL,has_expires INTEGER NOT NULL,is_persistent INTEGER NOT NULL,priority INTEGER NOT NULL,samesite INTEGER NOT NULL,source_scheme INTEGER NOT NULL,source_port INTEGER NOT NULL,is_same_party INTEGER NOT NULL);
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);

Source: unknown	Process created: C:\Users\user\Desktop\installcriptocns.exe "C:\Users\user\Desktop\installcriptocns.exe"
Source: unknown	Process created: C:\Users\user\Desktop\installcriptocns.exe "C:\Users\user\Desktop\installcriptocns.exe" --rerunningWithoutUAC
Source: C:\Users\user\Desktop\installcriptocns.exe	Process created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\Squirrel.exe" --updateSelf=C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --squirrel-install 1.1.1
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --squirrel-firstrun
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\criptocns" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1656,i,17898378316754652978,529011506488449579,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice/service.js "--log={\"path\":\"C:\\Users\\user\\.criptocns\",\"fname\":\"criptocns-n.log\",\"maxSize\":2048,\"rotate\":5,\"level\":1}" "--server={\"port\":9171,\"maxAge\":1800,\"trustedOrigins\":{\"warning\":true,\"origins\":[]}}" --service=CriptoCNS
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\criptocns" --mojo-platform-channel-handle=2012 --field-trial-handle=1656,i,17898378316754652978,529011506488449579,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "hash kdialog 2>/dev/null"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "osascript -e 'id of application "kdialog"' 2>&1>/dev/null"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where kdialog"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where kdialog
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where kdialog.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where kdialog.exe
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where.exe kdialog"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where.exe kdialog
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where.exe kdialog.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where.exe kdialog.exe
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "hash zenity 2>/dev/null"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "osascript -e 'id of application "zenity"' 2>&1>/dev/null"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where zenity"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where zenity
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where zenity.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where zenity.exe
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where.exe zenity"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where.exe zenity
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where.exe zenity.exe"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Roaming\criptocns" --app-user-model-id=com.squirrel.CriptoCNS.criptocns --app-path="C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app" --no-sandbox --no-zygote --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --launch-time-ticks=4564869468 --mojo-platform-channel-handle=2308 --field-trial-handle=1656,i,17898378316754652978,529011506488449579,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where.exe zenity.exe
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "hash yad 2>/dev/null"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "osascript -e 'id of application "yad"' 2>&1>/dev/null"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where yad"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where yad
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where yad.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where yad.exe
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where.exe yad"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where.exe yad
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where.exe yad.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where.exe yad.exe
Source: C:\Users\user\Desktop\installcriptocns.exe	Process created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\Squirrel.exe" --updateSelf=C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --squirrel-install 1.1.1	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --squirrel-firstrun	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\criptocns" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1656,i,17898378316754652978,529011506488449579,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice/service.js "--log={\"path\":\"C:\\Users\\user\\.criptocns\",\"fname\":\"criptocns-n.log\",\"maxSize\":2048,\"rotate\":5,\"level\":1}" "--server={\"port\":9171,\"maxAge\":1800,\"trustedOrigins\":{\"warning\":true,\"origins\":[]}}" --service=CriptoCNS	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\criptocns" --mojo-platform-channel-handle=2012 --field-trial-handle=1656,i,17898378316754652978,529011506488449579,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe "C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Roaming\criptocns" --app-user-model-id=com.squirrel.CriptoCNS.criptocns --app-path="C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app" --no-sandbox --no-zygote --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --launch-time-ticks=4564869468 --mojo-platform-channel-handle=2308 --field-trial-handle=1656,i,17898378316754652978,529011506488449579,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "hash kdialog 2>/dev/null"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "osascript -e 'id of application "kdialog"' 2>&1>/dev/null"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where kdialog"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where kdialog.exe"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where.exe kdialog"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where.exe kdialog.exe"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "hash zenity 2>/dev/null"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "osascript -e 'id of application "zenity"' 2>&1>/dev/null"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where zenity"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where zenity.exe"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where.exe zenity"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where.exe zenity.exe"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "hash yad 2>/dev/null"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "osascript -e 'id of application "yad"' 2>&1>/dev/null"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where yad"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where yad.exe"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where.exe yad"
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where.exe yad.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where kdialog
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where kdialog.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where.exe kdialog
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where.exe kdialog.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where zenity
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where zenity.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where.exe zenity
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where.exe zenity.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where yad
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where yad.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where.exe yad
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where.exe yad.exe

Source: installcriptocns.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: installcriptocns.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: installcriptocns.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: installcriptocns.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: installcriptocns.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: installcriptocns.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: installcriptocns.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: installcriptocns.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: installcriptocns.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: installcriptocns.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: installcriptocns.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: criptocns.exe.10.dr	Static PE information: section name: .00cfg
Source: criptocns.exe.10.dr	Static PE information: section name: .retplne
Source: criptocns.exe.10.dr	Static PE information: section name: .rodata
Source: criptocns.exe.10.dr	Static PE information: section name: CPADinfo
Source: criptocns.exe.10.dr	Static PE information: section name: _RDATA
Source: criptocns.exe.10.dr	Static PE information: section name: malloc_h
Source: ffmpeg.dll.10.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll.10.dr	Static PE information: section name: _RDATA
Source: libEGL.dll.10.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.10.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll.10.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.10.dr	Static PE information: section name: _RDATA
Source: libEGL.dll0.10.dr	Static PE information: section name: .00cfg
Source: libEGL.dll0.10.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll0.10.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.10.dr	Static PE information: section name: _RDATA
Source: vk_swiftshader.dll.10.dr	Static PE information: section name: .00cfg
Source: vk_swiftshader.dll.10.dr	Static PE information: section name: _RDATA
Source: vulkan-1.dll.10.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll.10.dr	Static PE information: section name: _RDATA
Source: hamahiri-native.node.10.dr	Static PE information: section name: _RDATA
Source: lock-native.node.10.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\installcriptocns.exe	File created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\lock-native.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\hamahiri-native.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\criptocns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\swiftshader\libEGL.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Memory allocated: D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Memory allocated: 1A930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe	Memory allocated: AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe	Memory allocated: 1A850000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Window / User API: threadDelayed 9339	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Window / User API: threadDelayed 453	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe	Window / User API: threadDelayed 490	Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\lock-native.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\hamahiri-native.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CriptoCNS\criptocns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\libGLESv2.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 7004	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe TID: 5208	Thread sleep count: 490 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe TID: 6588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809			Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809

Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	File Volume queried: C:\Users\user\AppData\Roaming\criptocns\Code Cache\wasm FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	File Volume queried: C:\Users\user\AppData\Roaming\criptocns\Code Cache\js FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	File Volume queried: C:\Users\user\AppData\Roaming\criptocns\blob_storage\99c2638c-ca1f-4b1f-9001-5d6684703d74 FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	File Volume queried: C:\Users\user\AppData\Roaming\criptocns\Cache\Cache_Data FullSizeInformation

Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: VMware Virtual Webcam
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B096000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: VMware Fusion 4 has corrupt rendering with Win Vista+
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: VMnet
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B096000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: VMware, Inc.
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B096000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: VMware Inc.
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: eb1a:2860eb1a:28201ce6:282012ab:03801943:22530c45:64d00c45:64d21bcf:298504ca:704704ca:704804f2:b3ed04f2:b3ca05c8:035d05c8:036904ca:709513d3:52570bda:57f20fd9:0066VMware Virtual WebcamMedia.VideoCapture.BlacklistedDeviceGoogle Camera AdapterIP Camera [JPEG/MJPEG]CyberLink Webcam SplitterEpocCam../../media/capture/video/video_capture_metrics.ccDevice supports Media.VideoCapture.Device.SupportedPixelFormatMedia.VideoCapture.Device.SupportedResolution
Source: criptocns.exe, 0000000F.00000002.2659980788.000002306824E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: criptocns.exe, 0000000F.00000002.2659980788.000002306824E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWO&h0
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B096000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: Gearway Electronics (Dong Guan) Co., Ltd.VMware Inc.Olimex Ltd.
Source: criptocns.exe, 0000000F.00000002.2659980788.000002306824E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws\System32\en-US\wshqos.dll.mui
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B096000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: Qemu Audio Device
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
Source: Update.exe, 0000000A.00000002.2283567664.000000001FE30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B096000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: VMware can crash with older drivers and WebGL content
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: Access-Control-Allow-Credentials: trueNet.RedirectChainLengthurl_chainload_state_paramdelegate_blocked_byhas_uploadis_pendingDelegateNet.URLRequest.ReferrerPolicyForRequest.SameOriginNet.URLRequest.ReferrerHasInformativePath.SameOriginNet.URLRequest.ReferrerPolicyForRequest.CrossOriginNet.URLRequest.ReferrerHasInformativePath.CrossOrigin../../net/url_request/url_request_job.ccOnDonenum_failuresrelease_after_msThrottling.RequestThrottled../../net/base/network_interfaces_win.ccWlanApiwlanapi.dllWlanQueryInterfaceWlanSetInterfaceVMnetGetAdaptersAddresses failed: 8Q

Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74B096000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: ../../electron/shell/browser/ui/views/electron_views_delegate_win.ccGetAppbarAutohideEdgesShell_TrayWnd
Source: criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: ?@../../third_party/webrtc/modules/desktop_capture/win/cursor.ccCreateMouseCursorFromHCursorUnable to get cursor icon info. Error = Unable to get bitmap info. Error = Unable to get bitmap bits. Error = DwmIsCompositionEnabledDwmGetWindowAttribute../../third_party/webrtc/modules/desktop_capture/win/window_capture_utils.ccFail to create instance of VirtualDesktopManagerChrome_WidgetWin_Progman

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Users\user\AppData\Local\SquirrelTemp\background.gif VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Users\user\AppData\Local\SquirrelTemp\setupIcon.ico VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Users\user\AppData\Local\SquirrelTemp\background.gif VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\v4.0_4.0.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\Update.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\package.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\package.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\main.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\main.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\config.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\config.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\config.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\options.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\options.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\wanhamou.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\wanhamou.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\wanhamou.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\module.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\module.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\module.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\update.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\update.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\update.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\lock.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\lock.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\lock.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\lock-native.node VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\lock-native.node VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\distribution.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\service.js VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\service.js VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\node_modules VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\node_modules\alert\index.js VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\node_modules\alert\index.js VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\node_modules\alert\node.js VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\node_modules\alert\node.js VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\node_modules\is-program-installed VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\node_modules\is-program-installed\index.js VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\node_modules\is-program-installed VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\node_modules\is-program-installed\index.js VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\options.js VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\options.js VolumeInformation
Source: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	Queries volume information: C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\appservice\options.js VolumeInformation

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report installcriptocns.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\CriptoCNS\Update.exe

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\LICENSE

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\Squirrel-UpdateSelf.log

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\chrome_100_percent.pak

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\chrome_200_percent.pak

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\d3dcompiler_47.dll

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\ffmpeg.dll

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\icudtl.dat

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\libEGL.dll

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\libGLESv2.dll

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\locales\am.pak

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\locales\ar.pak

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\locales\bg.pak

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\locales\bn.pak

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\locales\ca.pak

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\locales\cs.pak

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\locales\da.pak

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\locales\de.pak

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\locales\el.pak

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\locales\en-GB.pak

C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\locales\en-US.pak

Windows Analysis Report
installcriptocns.exe

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	11 Masquerading	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	32 Virtualization/Sandbox Evasion	Security Account Manager	32 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Source	Detection	Scanner
C:\Users\user\AppData\Local\CriptoCNS\Update.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\criptocns.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\hamahiri-native.node	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\components\lock-native.node	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\node_modules\alert\cli.js	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\node_modules\node-addon-api\tools\clang-format.js	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\node_modules\node-addon-api\tools\conversion.js	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\resources\app\node_modules\node-addon-api\tools\eslint-format.js	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\squirrel.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\swiftshader\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\swiftshader\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\vk_swiftshader.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\vulkan-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\CriptoCNS\criptocns.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	0%	ReversingLabs

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/myuser/myrepo	Update.exe, 0000000A.00000000.1303554849.0000000000452000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 0000000A.00000002.2243154286.0000000012951000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/speech-api/full-duplex/v1	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B720000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/tr.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://url.spec.whatwg.org/#concept-url-origin	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://tools.ietf.org/html/rfc6455#section-1.3	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/alert/node.js	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/tempfiles/sample.css	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.google.com/chrome/answer/6098869	Update.exe, 0000000A.00000002.2156780159.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.dhimyotis.com/certignarootca.crl0	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/alert/.github/ISSUE_TEMPLATE.md	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/asn1js/package.json	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/tempfiles/sample.exe	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B720000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://www.color.org	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/is-program-installed/.github/CONTRIBUTI	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/fi.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://encoding.spec.whatwg.org/#textencoder	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/appservice/res/origens.png	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B096000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://github.com/tc39/proposal-weakrefs	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://goo.gl/t5IS6M).	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://tc39.github.io/ecma262/#sec-%iteratorprototype%-object	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://url.spec.whatwg.org/#concept-urlencoded-serializer	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://www.chromestatus.com/feature/5629582019395584.	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://www.chromium.org/blink/origin-trials/portals.	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://schemas.openxmlformats.or	Update.exe, 0000000A.00000002.2156780159.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/kn.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://nodejs.org/api/fs.html	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://chromium.googlesource.com/chromium/src/	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp, criptocns.exe, 0000000F.00000000.2074063248.00007FF74C359000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/he.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/es-419.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/en-GB.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/nodejs/node/pull/21313	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/node-addon-api/napi-inl.h	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.chromium.org/blink/origin-trials/portals.The	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://www.chromestatus.com/feature/%s	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/pvutils/README.md	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/ja.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.midnight-commander.org/browser/lib/tty/key.c	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://nodejs.org/	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://tools.ietf.org/html/rfc7540#section-8.1.2.5	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://wwww.certigna.fr/autorites/0m	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/node-addon-api/noexcept.gypi	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.squid-cache.org/Doc/config/half_closed_clients/	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/en-US.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/ca.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://127.0.0.1	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://github.com/nodejs/node/pull/33661	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://narwhaljs.org)	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://crbug.com/1234857.	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B720000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/appservice/res/defender.png	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://localhosthttp://127.0.0.1object-src	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://chrome-devtools-frontend.appspot.com/serve_rev/%s/%s.html/devtools/page/%s?ws=%s%s%sMalforme	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B720000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://code.google.com/p/chromium/issues/detail?id=25916	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/alert/.github/workflows/test.yml	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/is-program-installed/.github/workflows/	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/node-addon-api/index.js	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/electron/electron/issues/18397.Module	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://www.xfa.org/schema/xdc/	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://github.com/nodejs/node/pull/12607	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/appservice/config.js	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecma-international.org/ecma-262/#sec-line-terminators	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/alert/.editorconfig	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://goo.gl/LdLk22Failed	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://tools.ietf.org/html/rfc3492)	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/CriptoCNS.nuspec	Update.exe, 0000000A.00000002.2156780159.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/tempfiles/sample.png	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://html4/loose.dtd	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/de.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://crbug.com/1053756	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/fa.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/lib/net45/libGLESv2.dll	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/alert/LICENSE.md	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://developer.chrome.com/docs/extensions/mv3/cross-origin-isolation/.	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://github.com/WICG/construct-stylesheets/issues/119#issuecomment-588352418.	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/is-program-installed/.github/FUNDING.ym	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/w3c/webappsec-trusted-types/wiki/Trusted-Types-for-function-constructor	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://heycam.github.io/webidl/#es-iterable-entries	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://heycam.github.io/webidl/#es-interfaces	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/gu.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.xfa.org/schema/xfa-template/	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/Cloudflare	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B096000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/tempfiles/sample.css0y	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/sl.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/nodejs/node/issues	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://www.quovadisglobal.com/cps0	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false	URL Reputation: safe	unknown
https://bit.ly/31yqMJR.GpuLockdownDefaultDacl	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://tc39.github.io/ecma262/#sec-object.prototype.tostring	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://url.spec.whatwg.org/#urlsearchparams	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/ko.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/lib/net45/locales/hu.pak	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://defaultcontainer/lib/net45/resources/app/node_modules/is-program-installed/README.md	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.chromestatus.com/feature/5749447073988608Added	criptocns.exe, 0000000C.00000000.1968329647.00007FF74B964000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://defaultcontainer/tempfiles/sample.map	Update.exe, 0000000A.00000002.2156780159.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://heycam.github.io/webidl/#Replaceable	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://github.com/nodejs/node/pull/30380#issuecomment-552948364	criptocns.exe, 0000000C.00000000.1968329647.00007FF74BC78000.00000002.00000001.01000000.00000010.sdmp	false		unknown

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1531119
Start date and time:	2024-10-10 21:35:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	69
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	installcriptocns.exe
Detection:	SUS
Classification:	sus30.troj.winEXE@96/209@1/1
Cookbook Comments:	Found application associated with file extension: .exe

Time	Type	Description
15:36:11	API Interceptor	88x Sleep call for process: Update.exe modified
15:37:34	API Interceptor	186x Sleep call for process: explorer.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	36.msi	Get hash	malicious	Numando	Browse
	33.msi	Get hash	malicious	Numando	Browse
	QbAwyjyAk3.lnk	Get hash	malicious	Numando	Browse
	btm4e0L3pw.lnk	Get hash	malicious	Numando	Browse
	26.msi	Get hash	malicious	Numando	Browse
	https://www.newtonsoft.com/json	Get hash	malicious	Unknown	Browse
	https://media.thesocialpresskit.com/american-bankers-association/BNAT2024PrintablesPostcard2.zip	Get hash	malicious	Unknown	Browse
	HP Service File Loader.exe	Get hash	malicious	Unknown	Browse
	https://www.mediafire.com/file/dl1ll51b96z8hcb/paginas_para_descargar_Vectores_gratis_2018.zip/file	Get hash	malicious	Unknown	Browse
	original.eml	Get hash	malicious	HtmlDropper	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	36.msi	Get hash	malicious	Numando	Browse	162.159.61.3
	33.msi	Get hash	malicious	Numando	Browse	162.159.61.3
	QbAwyjyAk3.lnk	Get hash	malicious	Numando	Browse	162.159.61.3
	btm4e0L3pw.lnk	Get hash	malicious	Numando	Browse	162.159.61.3
	26.msi	Get hash	malicious	Numando	Browse	162.159.61.3
	https://www.newtonsoft.com/json	Get hash	malicious	Unknown	Browse	162.159.61.3
	https://media.thesocialpresskit.com/american-bankers-association/BNAT2024PrintablesPostcard2.zip	Get hash	malicious	Unknown	Browse	162.159.61.3
	https://premierbb.sharefile.com/public/share/web-189361297164461c	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	172.64.41.3
	HP Service File Loader.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	https://www.mediafire.com/file/dl1ll51b96z8hcb/paginas_para_descargar_Vectores_gratis_2018.zip/file	Get hash	malicious	Unknown	Browse	162.159.61.3

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://helawok.x-sns.cloud/	Get hash	malicious	HTMLPhisher	Browse	172.64.146.38
	Yx1Wz608PO.exe	Get hash	malicious	Unknown	Browse	172.67.183.40
	Yx1Wz608PO.exe	Get hash	malicious	Unknown	Browse	172.67.183.40
	https://anviict.com/?qvtvxymb	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	Play_VM-Now(Eslifka)CLQD.htm	Get hash	malicious	Unknown	Browse	188.114.96.3
	bc3c228ad2c13f96cb14375c3860e802.pdf	Get hash	malicious	Unknown	Browse	1.1.1.1
	Kevin Burrell shared 'Team A Pictures and Presentation' in 'Eric Meyn's Workspace' with you.msg	Get hash	malicious	Unknown	Browse	162.247.243.39
	O1cd60GrHb.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.21.54.168
	original (1).eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	O1cd60GrHb.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.21.54.168

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\CriptoCNS\app-1.1.1\d3dcompiler_47.dll	VegaX.exe	Get hash	malicious	Unknown	Browse
	VegaX.exe	Get hash	malicious	Unknown	Browse
	F_2673HAL.exe	Get hash	malicious	Unknown	Browse
	F_2673HAL.exe	Get hash	malicious	Unknown	Browse
	Wordle_x64LTS.exe	Get hash	malicious	Unknown	Browse
	RummikubSetup_ex64LTS.exe	Get hash	malicious	Unknown	Browse
	YouTubeAppSetup.exe	Get hash	malicious	Unknown	Browse
	SteamSetup.exe	Get hash	malicious	Unknown	Browse
	Wordle_x64LTS.exe	Get hash	malicious	Unknown	Browse
	RummikubSetup_ex64LTS.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1904128
Entropy (8bit):	5.888268078835746
Encrypted:	false
SSDEEP:	24576:wWltPuAnUCiag6CKM2zCy9sQuOjj1VgZej6GeS4lNrCze5qhYp4t9m/:Nt3UCiag6CKM2zCyZuOjJaxSS5qh
MD5:	6FCBE10724D6C767002A845C0BBE1139
SHA1:	18B57D7646DEB32B5681934E2921E98F55818246
SHA-256:	28A913DB4008030DE78F2E5C04A27BC81DBA0C4147248B95078AD1ACA2D1AC9D
SHA-512:	0E0A1C39D648C8B47E20CCA500402DCAE542BD8182E37A37A924DF496FF38F9A19C78EE22C3C78A9C88CB94227C9FEE1C9D410F08BECB0BE46F298635FF6B2ED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\CriptoCNS\Update.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5.p_............................>.... ........@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H.......LU..............,.................................................{......{......{....r.(......}......}......}........0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o.......0..K....... .A. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X..0...........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(........{......{....