Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Analysis ID:756002
MD5:d6f0e59d1bb1d559029da21e132a1c9b
SHA1:7b760ca553c6d95126146825b1f5b846d5a69378
SHA256:0afcaf64f298203c19ee5001aeb67a4a785a2a3a56fac3ead54c86811583d873
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • wPBZqbH.exe (PID: 2816 cmdline: "C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe" MD5: D6F0E59D1BB1D559029DA21E132A1C9B)
    • wPBZqbH.exe (PID: 5328 cmdline: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe MD5: D6F0E59D1BB1D559029DA21E132A1C9B)
  • wPBZqbH.exe (PID: 5316 cmdline: "C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe" MD5: D6F0E59D1BB1D559029DA21E132A1C9B)
  • cleanup
{"Exfil Mode": "SMTP", "Host": "mail.akademetre.com", "Username": "suletas@akademetre.com", "Password": "st6473"}
SourceRuleDescriptionAuthorStrings
0000000B.00000002.361237827.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
        • 0x143c06:$a13: get_DnsResolver
        • 0x17a426:$a13: get_DnsResolver
        • 0x1b0a46:$a13: get_DnsResolver
        • 0x142313:$a20: get_LastAccessed
        • 0x178b33:$a20: get_LastAccessed
        • 0x1af153:$a20: get_LastAccessed
        • 0x144634:$a27: set_InternalServerPort
        • 0x17ae54:$a27: set_InternalServerPort
        • 0x1b1474:$a27: set_InternalServerPort
        • 0x144969:$a30: set_GuidMasterKey
        • 0x17b189:$a30: set_GuidMasterKey
        • 0x1b17a9:$a30: set_GuidMasterKey
        • 0x142425:$a33: get_Clipboard
        • 0x178c45:$a33: get_Clipboard
        • 0x1af265:$a33: get_Clipboard
        • 0x142433:$a34: get_Keyboard
        • 0x178c53:$a34: get_Keyboard
        • 0x1af273:$a34: get_Keyboard
        • 0x143800:$a35: get_ShiftKeyDown
        • 0x17a020:$a35: get_ShiftKeyDown
        • 0x1b0640:$a35: get_ShiftKeyDown
        0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Click to see the 18 entries
          SourceRuleDescriptionAuthorStrings
          11.2.wPBZqbH.exe.2d3063c.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            11.2.wPBZqbH.exe.2d3063c.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPasteDetects executables potentially checking for WinJail sandbox windowditekSHen
            • 0xd16a:$v1: SbieDll.dll
            • 0xd184:$v2: USER
            • 0xd190:$v3: SANDBOX
            • 0xd1a2:$v4: VIRUS
            • 0xd1f2:$v4: VIRUS
            • 0xd1b0:$v5: MALWARE
            • 0xd1c2:$v6: SCHMIDTI
            • 0xd1d6:$v7: CURRENTUSER
            11.2.wPBZqbH.exe.2d12e6c.0.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              11.2.wPBZqbH.exe.2d12e6c.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPasteDetects executables potentially checking for WinJail sandbox windowditekSHen
              • 0x2a93a:$v1: SbieDll.dll
              • 0x2a954:$v2: USER
              • 0x2a960:$v3: SANDBOX
              • 0x2a972:$v4: VIRUS
              • 0x2a9c2:$v4: VIRUS
              • 0x2a980:$v5: MALWARE
              • 0x2a992:$v6: SCHMIDTI
              • 0x2a9a6:$v7: CURRENTUSER
              0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2ff0724.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                Click to see the 25 entries
                No Sigma rule has matched
                Timestamp:192.168.2.3212.58.6.82496995872840032 11/29/22-13:51:17.089585
                SID:2840032
                Source Port:49699
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3212.58.6.82496985872851779 11/29/22-13:50:47.438476
                SID:2851779
                Source Port:49698
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3212.58.6.82496985872840032 11/29/22-13:50:47.438476
                SID:2840032
                Source Port:49698
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3212.58.6.82496985872030171 11/29/22-13:50:47.438476
                SID:2030171
                Source Port:49698
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3212.58.6.82496995872851779 11/29/22-13:51:17.089585
                SID:2851779
                Source Port:49699
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3212.58.6.82496995872030171 11/29/22-13:51:17.089495
                SID:2030171
                Source Port:49699
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3212.58.6.82496995872839723 11/29/22-13:51:17.089495
                SID:2839723
                Source Port:49699
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3212.58.6.82496985872839723 11/29/22-13:50:47.438476
                SID:2839723
                Source Port:49698
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeReversingLabs: Detection: 45%
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeReversingLabs: Detection: 45%
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeJoe Sandbox ML: detected
                Source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.akademetre.com", "Username": "suletas@akademetre.com", "Password": "st6473"}
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49698 -> 212.58.6.82:587
                Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49698 -> 212.58.6.82:587
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49698 -> 212.58.6.82:587
                Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49698 -> 212.58.6.82:587
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49699 -> 212.58.6.82:587
                Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49699 -> 212.58.6.82:587
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49699 -> 212.58.6.82:587
                Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49699 -> 212.58.6.82:587
                Source: Joe Sandbox ViewASN Name: DORUKNETTR DORUKNETTR
                Source: Joe Sandbox ViewIP Address: 212.58.6.82 212.58.6.82
                Source: global trafficTCP traffic: 192.168.2.3:49698 -> 212.58.6.82:587
                Source: global trafficTCP traffic: 192.168.2.3:49698 -> 212.58.6.82:587
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hVcQOe.com
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.553736174.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000C.00000002.549612745.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.akademetre.com
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: wPBZqbH.exe, 0000000C.00000002.549612745.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://Xnj1QfqQIFq9bE.net
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: mail.akademetre.com

                System Summary

                barindex
                Source: 11.2.wPBZqbH.exe.2d3063c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                Source: 11.2.wPBZqbH.exe.2d12e6c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2ff0724.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2fd2f54.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 11.2.wPBZqbH.exe.2d3063c.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                Source: 11.2.wPBZqbH.exe.2d12e6c.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2ff0724.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2fd2f54.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeCode function: 0_2_02E1C164
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeCode function: 0_2_02E1E5A2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeCode function: 0_2_02E1E5B0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeCode function: 7_2_00F36CAE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeCode function: 7_2_059CC570
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeCode function: 7_2_059CD2D0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeCode function: 7_2_059C29F8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeCode function: 7_2_059C0910
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeCode function: 7_2_059C0040
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename58651ded-a5cb-48e7-921d-91931b151fe1.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.312566728.0000000007610000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000000.267518160.0000000000B92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFNkO.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename58651ded-a5cb-48e7-921d-91931b151fe1.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.312712886.0000000007830000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000000.289835221.0000000000438000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename58651ded-a5cb-48e7-921d-91931b151fe1.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.535980691.0000000000939000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeBinary or memory string: OriginalFilenameFNkO.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: wPBZqbH.exe.7.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeReversingLabs: Detection: 45%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeJump to behavior
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe "C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe"
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess created: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe "C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess created: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.logJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeFile created: C:\Users\user\AppData\Local\Temp\tmp14ED.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/4@3/2
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000000.267518160.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, wPBZqbH.exe.7.drBinary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000000.267518160.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, wPBZqbH.exe.7.drBinary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000000.267518160.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, wPBZqbH.exe.7.drBinary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeString found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeString found in binary or memory: Username:-AddusertextBoxUsernameCash
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeCode function: 0_2_02E1F972 pushad ; iretd
                Source: initial sampleStatic PE information: section name: .text entropy: 7.661200368718481
                Source: initial sampleStatic PE information: section name: .text entropy: 7.661200368718481
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeFile created: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeJump to dropped file
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wPBZqbHJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wPBZqbHJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeFile opened: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Source: Yara matchFile source: 11.2.wPBZqbH.exe.2d3063c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.wPBZqbH.exe.2d12e6c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2ff0724.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2fd2f54.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.361237827.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.295133580.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wPBZqbH.exe PID: 2816, type: MEMORYSTR
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.295133580.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000B.00000002.361237827.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.295133580.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000B.00000002.361237827.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5628Thread sleep time: -38122s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5712Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084Thread sleep time: -15679732462653109s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 2956Thread sleep count: 9672 > 30
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084Thread sleep time: -99859s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084Thread sleep time: -99734s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084Thread sleep time: -99624s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084Thread sleep time: -99509s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084Thread sleep time: -99396s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084Thread sleep time: -99278s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084Thread sleep time: -99160s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084Thread sleep time: -99041s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084Thread sleep time: -98930s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084Thread sleep time: -98597s >= -30000s
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5448Thread sleep time: -38122s >= -30000s
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5692Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708Thread sleep time: -18446744073709540s >= -30000s
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 1780Thread sleep count: 9764 > 30
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708Thread sleep time: -99858s >= -30000s
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708Thread sleep time: -99734s >= -30000s
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708Thread sleep time: -99618s >= -30000s
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708Thread sleep time: -99500s >= -30000s
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708Thread sleep time: -99391s >= -30000s
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708Thread sleep time: -99281s >= -30000s
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5332Thread sleep time: -38122s >= -30000s
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeWindow / User API: threadDelayed 9672
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeWindow / User API: threadDelayed 9764
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 38122
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 100000
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 99859
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 99734
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 99624
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 99509
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 99396
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 99278
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 99160
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 99041
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 98930
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeThread delayed: delay time: 98597
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeThread delayed: delay time: 38122
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeThread delayed: delay time: 100000
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeThread delayed: delay time: 99858
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeThread delayed: delay time: 99734
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeThread delayed: delay time: 99618
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeThread delayed: delay time: 99500
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeThread delayed: delay time: 99391
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeThread delayed: delay time: 99281
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeThread delayed: delay time: 38122
                Source: wPBZqbH.exe, 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: wPBZqbH.exe, 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: wPBZqbH.exe, 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: wPBZqbH.exe, 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeMemory allocated: page read and write | page guard
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeProcess created: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wPBZqbH.exe PID: 5328, type: MEMORYSTR
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: Yara matchFile source: 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wPBZqbH.exe PID: 5328, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wPBZqbH.exe PID: 5328, type: MEMORYSTR
                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation
                1
                Registry Run Keys / Startup Folder
                11
                Process Injection
                1
                Masquerading
                2
                OS Credential Dumping
                311
                Security Software Discovery
                Remote Services1
                Email Collection
                Exfiltration Over Other Network Medium1
                Encrypted Channel
                Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts2
                Command and Scripting Interpreter
                Boot or Logon Initialization Scripts1
                Registry Run Keys / Startup Folder
                1
                Disable or Modify Tools
                1
                Credentials in Registry
                1
                Process Discovery
                Remote Desktop Protocol1
                Archive Collected Data
                Exfiltration Over Bluetooth1
                Non-Standard Port
                Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion
                Security Account Manager131
                Virtualization/Sandbox Evasion
                SMB/Windows Admin Shares2
                Data from Local System
                Automated Exfiltration1
                Non-Application Layer Protocol
                Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                Process Injection
                NTDS1
                Application Window Discovery
                Distributed Component Object ModelInput CaptureScheduled Transfer11
                Application Layer Protocol
                SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Hidden Files and Directories
                LSA Secrets1
                Remote System Discovery
                SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common2
                Obfuscated Files or Information
                Cached Domain Credentials114
                System Information Discovery
                VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                Software Packing
                DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756002 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 28 _kerberos._tcp.dc._msdcs.akademetre.com 2->28 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 4 other signatures 2->50 7 wPBZqbH.exe 3 2->7         started        10 SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe 3 2->10         started        13 wPBZqbH.exe 2 2->13         started        signatures3 process4 file5 52 Multi AV Scanner detection for dropped file 7->52 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->54 56 Machine Learning detection for dropped file 7->56 15 wPBZqbH.exe 3 7->15         started        26 SecuriteInfo.com.W...11851.17452.exe.log, ASCII 10->26 dropped 58 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->58 19 SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe 2 6 10->19         started        signatures6 process7 dnsIp8 34 Tries to harvest and steal ftp login credentials 15->34 36 Tries to harvest and steal browser information (history, passwords, etc) 15->36 30 mail.akademetre.com 212.58.6.82, 49698, 49699, 587 DORUKNETTR Turkey 19->30 32 192.168.2.1 unknown unknown 19->32 22 C:\Users\user\AppData\Roaming\...\wPBZqbH.exe, PE32 19->22 dropped 24 C:\Users\user\...\wPBZqbH.exe:Zone.Identifier, ASCII 19->24 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->38 40 Tries to steal Mail credentials (via file / registry access) 19->40 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->42 file9 signatures10

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe45%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe100%Joe Sandbox ML
                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe45%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                SourceDetectionScannerLabelLinkDownload
                7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://Xnj1QfqQIFq9bE.net0%Avira URL Cloudsafe
                http://hVcQOe.com0%Avira URL Cloudsafe
                http://mail.akademetre.com0%Avira URL Cloudsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                mail.akademetre.com
                212.58.6.82
                truetrue
                  unknown
                  _kerberos._tcp.dc._msdcs.akademetre.com
                  unknown
                  unknowntrue
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.fontbureau.comSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.tiro.comSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://Xnj1QfqQIFq9bE.netwPBZqbH.exe, 0000000C.00000002.549612745.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.com/designersSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.goodfont.co.krSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://hVcQOe.comwPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.carterandcone.comlSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.sajatypeworks.comSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.typography.netDSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://fontfabrik.comSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.founder.com.cn/cnSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://mail.akademetre.comSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.553736174.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000C.00000002.549612745.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://DynDns.comDynDNSnamejidpasswordPsi/PsiwPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.fonts.comSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.sandoll.co.krSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.sakkal.comSecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs
                                        IPDomainCountryFlagASNASN NameMalicious
                                        212.58.6.82
                                        mail.akademetre.comTurkey
                                        8685DORUKNETTRtrue
                                        IP
                                        192.168.2.1
                                        Joe Sandbox Version:36.0.0 Rainbow Opal
                                        Analysis ID:756002
                                        Start date and time:2022-11-29 13:49:09 +01:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 11m 3s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:16
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@7/4@3/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 23.35.236.109
                                        • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • VT rate limit hit for: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                                        TimeTypeDescription
                                        13:50:20API Interceptor602x Sleep call for process: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe modified
                                        13:50:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run wPBZqbH C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
                                        13:50:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run wPBZqbH C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
                                        13:50:52API Interceptor420x Sleep call for process: wPBZqbH.exe modified
                                        No context
                                        No context
                                        No context
                                        No context
                                        No context
                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        Process:C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):942592
                                        Entropy (8bit):7.654583285045402
                                        Encrypted:false
                                        SSDEEP:24576:FyDdEPf3ZQWjM2Xgx9cyEthRYxdIipRgIdbl:FTPfZpHw0hRO+i3zdbl
                                        MD5:D6F0E59D1BB1D559029DA21E132A1C9B
                                        SHA1:7B760CA553C6D95126146825B1F5B846D5A69378
                                        SHA-256:0AFCAF64F298203C19EE5001AEB67A4A785A2A3A56FAC3EAD54C86811583D873
                                        SHA-512:21615F5CCE87C73E219F8357AD7B989F1C9B769FF1440A3E6804DA6A9D020E864F39E22D32361EDD996D8D11F9945A60EAB2FE0B32F55A9AA5D0901FCB4DB4FB
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 45%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....c..............0..Z.........."y... ........@.. ....................................@..................................x..O.................................................................................... ............... ..H............text...(Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............`..............@..B.................y......H.......<...........l...8u..............................................^..}.....(.......(.....*.0...........s......o......(.....*...0...........s......o......(.....*...0...........s......o......(.....*...0...........s......o......(.....*...0..+.........,..{.......+....,...{....o........(.....*..0..r.............(....s......s....}.....s....}.....s....}.....s....}.....(......{....(....o......{.....o......{.....o .....{....r...p"..@A...s!...o".....{....(#...o$.....{.... .... ..
                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:[ZoneTransfer]....ZoneId=0
                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.654583285045402
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                                        File size:942592
                                        MD5:d6f0e59d1bb1d559029da21e132a1c9b
                                        SHA1:7b760ca553c6d95126146825b1f5b846d5a69378
                                        SHA256:0afcaf64f298203c19ee5001aeb67a4a785a2a3a56fac3ead54c86811583d873
                                        SHA512:21615f5cce87c73e219f8357ad7b989f1c9b769ff1440a3e6804da6a9d020e864f39e22d32361edd996d8d11f9945a60eab2fe0b32f55a9aa5d0901fcb4db4fb
                                        SSDEEP:24576:FyDdEPf3ZQWjM2Xgx9cyEthRYxdIipRgIdbl:FTPfZpHw0hRO+i3zdbl
                                        TLSH:C415D09033A6AF71F5796BF22511900827B23C5EA5F1D2296DDDF0DE2A72B4049F0B27
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0..Z.........."y... ........@.. ....................................@................................
                                        Icon Hash:00828e8e8686b000
                                        Entrypoint:0x4e7922
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6385A4CC [Tue Nov 29 06:21:00 2022 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xe78d00x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe80000x388.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xe59280xe5a00False0.8265057243467611data7.661200368718481IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0xe80000x3880x400False0.37109375data2.851224218573292IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xea0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        NameRVASizeTypeLanguageCountry
                                        RT_VERSION0xe80580x32cdata
                                        DLLImport
                                        mscoree.dll_CorExeMain
                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        192.168.2.3212.58.6.82496995872840032 11/29/22-13:51:17.089585TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249699587192.168.2.3212.58.6.82
                                        192.168.2.3212.58.6.82496985872851779 11/29/22-13:50:47.438476TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49698587192.168.2.3212.58.6.82
                                        192.168.2.3212.58.6.82496985872840032 11/29/22-13:50:47.438476TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249698587192.168.2.3212.58.6.82
                                        192.168.2.3212.58.6.82496985872030171 11/29/22-13:50:47.438476TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49698587192.168.2.3212.58.6.82
                                        192.168.2.3212.58.6.82496995872851779 11/29/22-13:51:17.089585TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49699587192.168.2.3212.58.6.82
                                        192.168.2.3212.58.6.82496995872030171 11/29/22-13:51:17.089495TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49699587192.168.2.3212.58.6.82
                                        192.168.2.3212.58.6.82496995872839723 11/29/22-13:51:17.089495TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49699587192.168.2.3212.58.6.82
                                        192.168.2.3212.58.6.82496985872839723 11/29/22-13:50:47.438476TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49698587192.168.2.3212.58.6.82
                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 29, 2022 13:50:46.464090109 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:46.511168957 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:50:46.511468887 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:46.558432102 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:50:46.559271097 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:46.606108904 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:50:46.655273914 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:46.935766935 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:46.983202934 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:50:46.992780924 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:47.039427042 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:50:47.040189028 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:47.089314938 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:50:47.097309113 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:47.144164085 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:50:47.164084911 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:47.212336063 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:50:47.264759064 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:47.360836029 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:47.408160925 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:50:47.438476086 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:47.438476086 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:47.439301968 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:47.439404011 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:50:47.485557079 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:50:47.485599995 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:50:47.487940073 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:50:47.530864000 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:16.604470968 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:16.652203083 CET58749699212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:51:16.652467012 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:16.699928999 CET58749699212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:51:16.700433016 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:16.747869015 CET58749699212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:51:16.788933992 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:16.836425066 CET58749699212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:51:16.836760044 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:16.883714914 CET58749699212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:51:16.897727966 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:16.945310116 CET58749699212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:51:16.945756912 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:16.993016958 CET58749699212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:51:16.993458033 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:17.041285992 CET58749699212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:51:17.041623116 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:17.088543892 CET58749699212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:51:17.089494944 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:17.089585066 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:17.089683056 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:17.089716911 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:51:17.136337042 CET58749699212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:51:17.136367083 CET58749699212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:51:17.138907909 CET58749699212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:51:17.189062119 CET49699587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:52:26.316526890 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:52:26.397782087 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:52:26.397880077 CET58749698212.58.6.82192.168.2.3
                                        Nov 29, 2022 13:52:26.397990942 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:52:26.398627996 CET49698587192.168.2.3212.58.6.82
                                        Nov 29, 2022 13:52:26.445650101 CET58749698212.58.6.82192.168.2.3
                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 29, 2022 13:50:46.354928970 CET4997753192.168.2.38.8.8.8
                                        Nov 29, 2022 13:50:46.420072079 CET53499778.8.8.8192.168.2.3
                                        Nov 29, 2022 13:50:46.813074112 CET5784053192.168.2.38.8.8.8
                                        Nov 29, 2022 13:50:46.886568069 CET53578408.8.8.8192.168.2.3
                                        Nov 29, 2022 13:51:16.486697912 CET5799053192.168.2.38.8.8.8
                                        Nov 29, 2022 13:51:16.571836948 CET53579908.8.8.8192.168.2.3
                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Nov 29, 2022 13:50:46.354928970 CET192.168.2.38.8.8.80xac75Standard query (0)mail.akademetre.comA (IP address)IN (0x0001)false
                                        Nov 29, 2022 13:50:46.813074112 CET192.168.2.38.8.8.80x1488Standard query (0)_kerberos._tcp.dc._msdcs.akademetre.com33IN (0x0001)false
                                        Nov 29, 2022 13:51:16.486697912 CET192.168.2.38.8.8.80x2c79Standard query (0)mail.akademetre.comA (IP address)IN (0x0001)false
                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Nov 29, 2022 13:50:46.420072079 CET8.8.8.8192.168.2.30xac75No error (0)mail.akademetre.com212.58.6.82A (IP address)IN (0x0001)false
                                        Nov 29, 2022 13:50:46.886568069 CET8.8.8.8192.168.2.30x1488Name error (3)_kerberos._tcp.dc._msdcs.akademetre.comnonenone33IN (0x0001)false
                                        Nov 29, 2022 13:51:16.571836948 CET8.8.8.8192.168.2.30x2c79No error (0)mail.akademetre.com212.58.6.82A (IP address)IN (0x0001)false
                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Nov 29, 2022 13:50:46.558432102 CET58749698212.58.6.82192.168.2.3220 cmail16.webkontrol.doruk.net.tr ESMTP IceWarp Deep Castle 2 Update 2 build 14; Tue, 29 Nov 2022 15:51:08 +0300
                                        Nov 29, 2022 13:50:46.559271097 CET49698587192.168.2.3212.58.6.82EHLO 562258
                                        Nov 29, 2022 13:50:46.606108904 CET58749698212.58.6.82192.168.2.3250-cmail16.webkontrol.doruk.net.tr Hello 562258 [102.129.143.49], pleased to meet you.
                                        250-ENHANCEDSTATUSCODES
                                        250-SIZE 31457280
                                        250-EXPN
                                        250-ETRN
                                        250-ATRN
                                        250-CHECKPOINT
                                        250-8BITMIME
                                        250-DSN
                                        250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
                                        250-STARTTLS
                                        250-VRFY
                                        250 HELP
                                        Nov 29, 2022 13:50:46.935766935 CET49698587192.168.2.3212.58.6.82AUTH gssapi TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==
                                        Nov 29, 2022 13:50:46.983202934 CET58749698212.58.6.82192.168.2.3535 5.7.8 Authentication credentials invalid
                                        Nov 29, 2022 13:50:46.992780924 CET49698587192.168.2.3212.58.6.82AUTH login c3VsZXRhc0Bha2FkZW1ldHJlLmNvbQ==
                                        Nov 29, 2022 13:50:47.039427042 CET58749698212.58.6.82192.168.2.3334 UGFzc3dvcmQ6
                                        Nov 29, 2022 13:50:47.089314938 CET58749698212.58.6.82192.168.2.3235 2.0.0 Authentication successful
                                        Nov 29, 2022 13:50:47.097309113 CET49698587192.168.2.3212.58.6.82MAIL FROM:<suletas@akademetre.com>
                                        Nov 29, 2022 13:50:47.144164085 CET58749698212.58.6.82192.168.2.3250 2.1.0 <suletas@akademetre.com>... Sender ok
                                        Nov 29, 2022 13:50:47.164084911 CET49698587192.168.2.3212.58.6.82RCPT TO:<suletas@akademetre.com>
                                        Nov 29, 2022 13:50:47.212336063 CET58749698212.58.6.82192.168.2.3250 2.1.5 <suletas@akademetre.com>... Recipient ok
                                        Nov 29, 2022 13:50:47.360836029 CET49698587192.168.2.3212.58.6.82DATA
                                        Nov 29, 2022 13:50:47.408160925 CET58749698212.58.6.82192.168.2.3354 Enter mail, end with "." on a line by itself
                                        Nov 29, 2022 13:50:47.439404011 CET49698587192.168.2.3212.58.6.82.
                                        Nov 29, 2022 13:50:47.487940073 CET58749698212.58.6.82192.168.2.3250 2.6.0 724 bytes received in 00:00:00; Message id 202211291551094239 accepted for delivery
                                        Nov 29, 2022 13:51:16.699928999 CET58749699212.58.6.82192.168.2.3220 cmail16.webkontrol.doruk.net.tr ESMTP IceWarp Deep Castle 2 Update 2 build 14; Tue, 29 Nov 2022 15:51:38 +0300
                                        Nov 29, 2022 13:51:16.700433016 CET49699587192.168.2.3212.58.6.82EHLO 562258
                                        Nov 29, 2022 13:51:16.747869015 CET58749699212.58.6.82192.168.2.3250-cmail16.webkontrol.doruk.net.tr Hello 562258 [102.129.143.49], pleased to meet you.
                                        250-ENHANCEDSTATUSCODES
                                        250-SIZE 31457280
                                        250-EXPN
                                        250-ETRN
                                        250-ATRN
                                        250-CHECKPOINT
                                        250-8BITMIME
                                        250-DSN
                                        250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
                                        250-STARTTLS
                                        250-VRFY
                                        250 HELP
                                        Nov 29, 2022 13:51:16.788933992 CET49699587192.168.2.3212.58.6.82AUTH gssapi TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==
                                        Nov 29, 2022 13:51:16.836425066 CET58749699212.58.6.82192.168.2.3535 5.7.8 Authentication credentials invalid
                                        Nov 29, 2022 13:51:16.836760044 CET49699587192.168.2.3212.58.6.82AUTH login c3VsZXRhc0Bha2FkZW1ldHJlLmNvbQ==
                                        Nov 29, 2022 13:51:16.883714914 CET58749699212.58.6.82192.168.2.3334 UGFzc3dvcmQ6
                                        Nov 29, 2022 13:51:16.945310116 CET58749699212.58.6.82192.168.2.3235 2.0.0 Authentication successful
                                        Nov 29, 2022 13:51:16.945756912 CET49699587192.168.2.3212.58.6.82MAIL FROM:<suletas@akademetre.com>
                                        Nov 29, 2022 13:51:16.993016958 CET58749699212.58.6.82192.168.2.3250 2.1.0 <suletas@akademetre.com>... Sender ok
                                        Nov 29, 2022 13:51:16.993458033 CET49699587192.168.2.3212.58.6.82RCPT TO:<suletas@akademetre.com>
                                        Nov 29, 2022 13:51:17.041285992 CET58749699212.58.6.82192.168.2.3250 2.1.5 <suletas@akademetre.com>... Recipient ok
                                        Nov 29, 2022 13:51:17.041623116 CET49699587192.168.2.3212.58.6.82DATA
                                        Nov 29, 2022 13:51:17.088543892 CET58749699212.58.6.82192.168.2.3354 Enter mail, end with "." on a line by itself
                                        Nov 29, 2022 13:51:17.089716911 CET49699587192.168.2.3212.58.6.82.
                                        Nov 29, 2022 13:51:17.138907909 CET58749699212.58.6.82192.168.2.3250 2.6.0 724 bytes received in 00:00:00; Message id 202211291551384797 accepted for delivery
                                        Nov 29, 2022 13:52:26.316526890 CET49698587192.168.2.3212.58.6.82QUIT
                                        Nov 29, 2022 13:52:26.397782087 CET58749698212.58.6.82192.168.2.3221 2.0.0 cmail16.webkontrol.doruk.net.tr closing connection

                                        Click to jump to process

                                        Target ID:0
                                        Start time:13:50:12
                                        Start date:29/11/2022
                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                                        Imagebase:0xb90000
                                        File size:942592 bytes
                                        MD5 hash:D6F0E59D1BB1D559029DA21E132A1C9B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.295133580.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low

                                        Target ID:7
                                        Start time:13:50:22
                                        Start date:29/11/2022
                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
                                        Imagebase:0x490000
                                        File size:942592 bytes
                                        MD5 hash:D6F0E59D1BB1D559029DA21E132A1C9B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low

                                        Target ID:11
                                        Start time:13:50:46
                                        Start date:29/11/2022
                                        Path:C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe"
                                        Imagebase:0x8f0000
                                        File size:942592 bytes
                                        MD5 hash:D6F0E59D1BB1D559029DA21E132A1C9B
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.361237827.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 45%, ReversingLabs
                                        Reputation:low

                                        Target ID:12
                                        Start time:13:50:54
                                        Start date:29/11/2022
                                        Path:C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
                                        Imagebase:0x440000
                                        File size:942592 bytes
                                        MD5 hash:D6F0E59D1BB1D559029DA21E132A1C9B
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low

                                        Target ID:13
                                        Start time:13:50:54
                                        Start date:29/11/2022
                                        Path:C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe"
                                        Imagebase:0xf60000
                                        File size:942592 bytes
                                        MD5 hash:D6F0E59D1BB1D559029DA21E132A1C9B
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:low

                                        No disassembly