Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Analysis ID:	1519365
MD5:	3e2ea8c3f5ca13f16f8ca1c85087f6b6
SHA1:	bc8727f0e142e331b34f01d2dc483da61b24db6b
SHA256:	3e0693e5ed5ef3326bd7f6e54db8adc71e28540c2c3e2a60cbf8d1bdb0ff41f3
Tags:	exe
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.PDB source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457738181.0000000001337000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbn source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbQ source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: %%.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457738181.0000000001337000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb* source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdba source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdb<T6 source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.PDBJ source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdbH source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3ACB.tmp.dmp.10.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 4x nop then jmp 06FA5375h	0_2_06FA4F28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 4x nop then jmp 06FA5375h	0_2_06FA48E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 4x nop then jmp 06FA5375h	0_2_06FA49FA

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 158.101.44.242 158.101.44.242

May check the online IP address of the machine

Source: unknown

DNS query: name: checkip.dyndns.org

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: checkip.dyndns.org

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003400000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1373260181.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013CDA4C	0_2_013CDA4C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA6F98	0_2_06FA6F98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA24D0	0_2_06FA24D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA24C0	0_2_06FA24C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA0478	0_2_06FA0478
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA1B20	0_2_06FA1B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA0040	0_2_06FA0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA0006	0_2_06FA0006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_078191B0	0_2_078191B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_0781CF28	0_2_0781CF28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_07817710	0_2_07817710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_07817720	0_2_07817720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_0781CF17	0_2_0781CF17
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_0781FA88	0_2_0781FA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_0781FAA8	0_2_0781FAA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 6_2_017C394B	6_2_017C394B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 6_2_017C3E09	6_2_017C3E09

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 1524

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000000.1349778814.0000000000A1E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSEhZ.exe0 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1373260181.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1377816076.0000000007290000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1373260181.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1362709774.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000446000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Binary or memory string: OriginalFilenameSEhZ.exe0 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, UYIMtqoPLcKSuPT8Sm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, UYIMtqoPLcKSuPT8Sm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/11@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.log

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 1524
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	.Net Code: Y0SUwLXjc4 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	.Net Code: Y0SUwLXjc4 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2db5b4c.0.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7ef0000.8.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2dbf164.2.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2e0fccc.3.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2e066b4.1.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C4779 push ebp; iretd	0_2_013C477A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C477B push ebp; iretd	0_2_013C4782
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C47B1 push esi; iretd	0_2_013C47B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C4659 push edx; iretd	0_2_013C465A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C465B push edx; iretd	0_2_013C4662
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C46B9 push edx; iretd	0_2_013C46BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C9771 pushfd ; iretd	0_2_013C9772
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_0781C5E8 push eax; iretd	0_2_0781C5E9

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, B5htBfs6Eq60LvMyWr.cs	High entropy of concatenated method names: 'w57qscG8RD', 'x7YqmqC8Eh', 'ocGqkZwtlW', 'YEOkZu65Z3', 'WuCkzB7aRn', 'PLdqFVe9nq', 'or2qBxUlFK', 'ECFqWpjDeU', 'mh8qrHFT6u', 'u7gqUiT0Rl'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, bmncYvqpj1lkAkdaQY.cs	High entropy of concatenated method names: 'Dispose', 'IcXBCLO8dK', 'OprWH8BmSy', 'qyxVVUCACc', 'rWyBZKWZOd', 'ca6BzUmIwp', 'ProcessDialogKey', 'bvsWFFNFRT', 'pHJWB2uDHa', 'vNdWWWcIPj'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, Kfn4gOm6qJR5uQnJ51.cs	High entropy of concatenated method names: 'Cev1B8FA1K', 'C0x1rEctfk', 'lt51UPv0iK', 'g8U1sCb5y0', 'UpQ1IT9URT', 'PXW1yMqku4', 'qL41kVLh3p', 'DaaPoI8YYe', 'HXwPiaOwJN', 'kIBPCnQAKB'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, cTP0ujQ4unMvfM1Q7j.cs	High entropy of concatenated method names: 'T1tuM2V1Z1', 'tmdu3YGU3n', 'r5juGdGarH', 'fBeuHNSPOs', 'reouhLNGS1', 'Tfuu2pAZ9V', 'OlLuE1IDtm', 'u4wundyhXV', 'LZbufJtWM4', 'qUeupD3qq4'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, pCZRiIVyb8gQ36Jscb.cs	High entropy of concatenated method names: 'Cuaq78BXpo', 'eJfq6HMgjS', 'eoNqwvC5rd', 'n9yqNy8V1U', 'D6pqacncpB', 'L0hqgFOoqt', 'dNsqt7eiIE', 'XZWqMtoxh1', 'kC0q3op3cR', 'mYHqYYn5rP'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, cwSp48wlWmdkLMUbRn.cs	High entropy of concatenated method names: 'YEXQiOCpha', 'TaqQZDtBtO', 'DHuPFXYXjy', 'viIPBQ1KGj', 'cX1QpIeU2M', 'P5VQ8MFB9k', 'sU5QLhT4MT', 'yyFQKj8KlP', 'bLLQDB4jdj', 'z3kQ4fxAmt'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, zgULROdx53FtcVdxrb.cs	High entropy of concatenated method names: 'ljHQAuITy9', 'uQMQOvu2MZ', 'ToString', 'aUcQsRUM9K', 'mpVQIWvX1f', 'qFoQm70Zmc', 'mObQyEmfyW', 'hWRQkbnxa3', 'VjFQqVyDSd', 'W3AQvtY0ew'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, UYIMtqoPLcKSuPT8Sm.cs	High entropy of concatenated method names: 'goMIKEWGeg', 'u26IDOFC3S', 'SnuI4VSAbs', 'LY3ITX53PE', 'xDIIxvDqFd', 'UDZIXBCEAA', 'gpGIoKANAZ', 'oGXIijDnAf', 'fn7ICD14NO', 'SnGIZk8esT'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, og6JZM7vcsSTvWXxUG.cs	High entropy of concatenated method names: 'ERRwaHVGW', 'PWUNOYQMo', 'c53gwwlZD', 'TBcta9ZMg', 'gq33w8AIW', 'y8VYB2MGO', 'Q4IiSUo47JKLSEiFBd', 'tMW6m9FUrVTGaqjil8', 'kfvPKDh1i', 'tmveCGFjw'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, v0c3BnzsGGvxHTnpZq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ebs1uHhiHO', 'Hao1cAbcfb', 'qIQ1bOZDPP', 'LAK1QZBWWy', 'xtq1PwkA1O', 'upK11Rdb9c', 'nFG1eGPsy9'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, EiI4J1gsgEpvMUVeIr.cs	High entropy of concatenated method names: 'AvVPsX52Xk', 'yrFPIWsbO7', 'BAaPmY3Ysn', 'sHgPyxNyah', 'q6NPkkUymK', 'gtWPqQlQJ5', 'lI6Pvd2pri', 'kfCP5aipUr', 'deBPAnUgV8', 'pGJPOgxdv9'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, sstE2rE2FHbpyWHeil.cs	High entropy of concatenated method names: 'QyLmN1trIt', 'bpAmgpjF07', 'rCPmMshCaO', 'wHXm3naUdw', 'mLOmctTHPM', 'Y28mbJCZwg', 'K8AmQI3Vew', 'ua0mPakMIA', 'DZtm1LESoN', 's44menTDNP'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, dVbdYWjrJy6D8mXC3HN.cs	High entropy of concatenated method names: 'V0V17Lrlsa', 'euF16Ff0Ws', 'SJg1wE6CU3', 'ArE1NvZ53S', 'S9o1aHDwXA', 'yhN1gmsQqN', 'gY41tOkoUB', 'i2A1MoedVd', 'K3K13jXEU6', 'njl1Y3ePZB'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, k1ljfRRekjotoW2QGo.cs	High entropy of concatenated method names: 'FH4PGlZaS4', 'xw5PHprckX', 'E6jPd7le3e', 'JfFPh1JS7a', 'sk0PKqpjXb', 'IC5P2h3Fed', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, QnUNhefD2F9UwihjTT.cs	High entropy of concatenated method names: 'efnBqqGBAg', 'uFsBvZt3pj', 'jfNBA97M80', 'lNdBOwyOyj', 'TYwBc7RaWT', 's9gBbTrNPs', 'OT7orF2AP6v02ilR6u', 'j2qM2nWYESVyEb63hP', 'NHOBBsq2Id', 'VatBr5BoRF'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, oQbKyJ809BxJXn8WyT.cs	High entropy of concatenated method names: 'uAkcfwODai', 'NA0c8UgXma', 'ceTcKs6tNl', 'VyicDsKdUH', 'COlcHigPv8', 'UDvcdL9lZC', 'FSmchVySOJ', 'lL0c2ICxRt', 'EMucSwlaBF', 'UdGcEhr5Ib'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, cbW82iCn8DJ8wSMm2p.cs	High entropy of concatenated method names: 'SffkjgIaHA', 'oGNkI1yC23', 'FrwkyIg9rg', 'C09kqjqZWP', 'zKSkv2RVO1', 'ojiyxa0NDh', 'ta1yXA9HnP', 'lipyoDg95t', 'w7yyi3U0mb', 'uf9yCgcbOx'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	High entropy of concatenated method names: 'U3qrjQn2sV', 'OberstitGJ', 'jcUrI6B4Nf', 'r78rm95Los', 'GNsryCi5JM', 'xOHrkpPH0f', 'k1IrqCk1BV', 'HPnrvB3xHG', 'y8Jr5oG57U', 'natrAMMtBj'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, B5htBfs6Eq60LvMyWr.cs	High entropy of concatenated method names: 'w57qscG8RD', 'x7YqmqC8Eh', 'ocGqkZwtlW', 'YEOkZu65Z3', 'WuCkzB7aRn', 'PLdqFVe9nq', 'or2qBxUlFK', 'ECFqWpjDeU', 'mh8qrHFT6u', 'u7gqUiT0Rl'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, bmncYvqpj1lkAkdaQY.cs	High entropy of concatenated method names: 'Dispose', 'IcXBCLO8dK', 'OprWH8BmSy', 'qyxVVUCACc', 'rWyBZKWZOd', 'ca6BzUmIwp', 'ProcessDialogKey', 'bvsWFFNFRT', 'pHJWB2uDHa', 'vNdWWWcIPj'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, Kfn4gOm6qJR5uQnJ51.cs	High entropy of concatenated method names: 'Cev1B8FA1K', 'C0x1rEctfk', 'lt51UPv0iK', 'g8U1sCb5y0', 'UpQ1IT9URT', 'PXW1yMqku4', 'qL41kVLh3p', 'DaaPoI8YYe', 'HXwPiaOwJN', 'kIBPCnQAKB'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, cTP0ujQ4unMvfM1Q7j.cs	High entropy of concatenated method names: 'T1tuM2V1Z1', 'tmdu3YGU3n', 'r5juGdGarH', 'fBeuHNSPOs', 'reouhLNGS1', 'Tfuu2pAZ9V', 'OlLuE1IDtm', 'u4wundyhXV', 'LZbufJtWM4', 'qUeupD3qq4'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, pCZRiIVyb8gQ36Jscb.cs	High entropy of concatenated method names: 'Cuaq78BXpo', 'eJfq6HMgjS', 'eoNqwvC5rd', 'n9yqNy8V1U', 'D6pqacncpB', 'L0hqgFOoqt', 'dNsqt7eiIE', 'XZWqMtoxh1', 'kC0q3op3cR', 'mYHqYYn5rP'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, cwSp48wlWmdkLMUbRn.cs	High entropy of concatenated method names: 'YEXQiOCpha', 'TaqQZDtBtO', 'DHuPFXYXjy', 'viIPBQ1KGj', 'cX1QpIeU2M', 'P5VQ8MFB9k', 'sU5QLhT4MT', 'yyFQKj8KlP', 'bLLQDB4jdj', 'z3kQ4fxAmt'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, zgULROdx53FtcVdxrb.cs	High entropy of concatenated method names: 'ljHQAuITy9', 'uQMQOvu2MZ', 'ToString', 'aUcQsRUM9K', 'mpVQIWvX1f', 'qFoQm70Zmc', 'mObQyEmfyW', 'hWRQkbnxa3', 'VjFQqVyDSd', 'W3AQvtY0ew'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, UYIMtqoPLcKSuPT8Sm.cs	High entropy of concatenated method names: 'goMIKEWGeg', 'u26IDOFC3S', 'SnuI4VSAbs', 'LY3ITX53PE', 'xDIIxvDqFd', 'UDZIXBCEAA', 'gpGIoKANAZ', 'oGXIijDnAf', 'fn7ICD14NO', 'SnGIZk8esT'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, og6JZM7vcsSTvWXxUG.cs	High entropy of concatenated method names: 'ERRwaHVGW', 'PWUNOYQMo', 'c53gwwlZD', 'TBcta9ZMg', 'gq33w8AIW', 'y8VYB2MGO', 'Q4IiSUo47JKLSEiFBd', 'tMW6m9FUrVTGaqjil8', 'kfvPKDh1i', 'tmveCGFjw'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, v0c3BnzsGGvxHTnpZq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ebs1uHhiHO', 'Hao1cAbcfb', 'qIQ1bOZDPP', 'LAK1QZBWWy', 'xtq1PwkA1O', 'upK11Rdb9c', 'nFG1eGPsy9'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, EiI4J1gsgEpvMUVeIr.cs	High entropy of concatenated method names: 'AvVPsX52Xk', 'yrFPIWsbO7', 'BAaPmY3Ysn', 'sHgPyxNyah', 'q6NPkkUymK', 'gtWPqQlQJ5', 'lI6Pvd2pri', 'kfCP5aipUr', 'deBPAnUgV8', 'pGJPOgxdv9'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, sstE2rE2FHbpyWHeil.cs	High entropy of concatenated method names: 'QyLmN1trIt', 'bpAmgpjF07', 'rCPmMshCaO', 'wHXm3naUdw', 'mLOmctTHPM', 'Y28mbJCZwg', 'K8AmQI3Vew', 'ua0mPakMIA', 'DZtm1LESoN', 's44menTDNP'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, dVbdYWjrJy6D8mXC3HN.cs	High entropy of concatenated method names: 'V0V17Lrlsa', 'euF16Ff0Ws', 'SJg1wE6CU3', 'ArE1NvZ53S', 'S9o1aHDwXA', 'yhN1gmsQqN', 'gY41tOkoUB', 'i2A1MoedVd', 'K3K13jXEU6', 'njl1Y3ePZB'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, k1ljfRRekjotoW2QGo.cs	High entropy of concatenated method names: 'FH4PGlZaS4', 'xw5PHprckX', 'E6jPd7le3e', 'JfFPh1JS7a', 'sk0PKqpjXb', 'IC5P2h3Fed', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, QnUNhefD2F9UwihjTT.cs	High entropy of concatenated method names: 'efnBqqGBAg', 'uFsBvZt3pj', 'jfNBA97M80', 'lNdBOwyOyj', 'TYwBc7RaWT', 's9gBbTrNPs', 'OT7orF2AP6v02ilR6u', 'j2qM2nWYESVyEb63hP', 'NHOBBsq2Id', 'VatBr5BoRF'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, oQbKyJ809BxJXn8WyT.cs	High entropy of concatenated method names: 'uAkcfwODai', 'NA0c8UgXma', 'ceTcKs6tNl', 'VyicDsKdUH', 'COlcHigPv8', 'UDvcdL9lZC', 'FSmchVySOJ', 'lL0c2ICxRt', 'EMucSwlaBF', 'UdGcEhr5Ib'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, cbW82iCn8DJ8wSMm2p.cs	High entropy of concatenated method names: 'SffkjgIaHA', 'oGNkI1yC23', 'FrwkyIg9rg', 'C09kqjqZWP', 'zKSkv2RVO1', 'ojiyxa0NDh', 'ta1yXA9HnP', 'lipyoDg95t', 'w7yyi3U0mb', 'uf9yCgcbOx'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	High entropy of concatenated method names: 'U3qrjQn2sV', 'OberstitGJ', 'jcUrI6B4Nf', 'r78rm95Los', 'GNsryCi5JM', 'xOHrkpPH0f', 'k1IrqCk1BV', 'HPnrvB3xHG', 'y8Jr5oG57U', 'natrAMMtBj'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2db5b4c.0.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7ef0000.8.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2dbf164.2.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2e0fccc.3.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2e066b4.1.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 1380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 2D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 4D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 8000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 9000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 91C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: A1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6382			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3279			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe TID: 7972	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -6456360425798339s >= -30000s			Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process token adjusted: Debug	Jump to behavior

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Name	IP	Active
checkip.dyndns.com	158.101.44.242	true
checkip.dyndns.org	unknown	unknown

ID:	1519365
Product:	CloudBasic
Start time:	12:22:18
Start date:	26.09.2024
Sample:	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3e2ea8c3f5ca13f16f8ca1c85087f6b6
SHA1:	bc8727f0e142e331b34f01d2dc483da61b24db6b
SHA256:	3e0693e5ed5ef3326bd7f6e54db8adc71e28540c2c3e2a60cbf8d1bdb0ff41f3
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_f328b3eaafa9c91d9bd94872426a6bfa15601ef3_be39743d_62ab06af-1377-4cda-9754-2f756f7c2d73\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	3031A53B6854DE584199A8986AE76AC5	78BDD1700BA8E6D5FD4B8F4AE16ABFE4E508E495	ED14F710EB5AFAF07128529CB622B66F6CE56731182E050C34331D93B90CDCEE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3ACB.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Sep 26 10:23:23 2024, 0x1205a4 type	81D99FD62476D67F973D8DB4805E7C2F	B9967BC643AB1BB942FE724CF83F11121E88D413	4CEFA954269C7C53887E830E224E221D4329B774495C4CB8FFF39A89075CE234
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C81.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	AA8BBB04BCC57BA1F3464CCE6B4BEE7A	B3860E442750D4E69FA5BF9F3E981B20DFB5A9D6	F402CE283BF3B9A13B5CDB8266F478B236D9EA63AE5A496455E0053EA3A66643
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CB1.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	0FC3E39D0B4265AA090CE229A2658680	9B1BE27102C63F0A2D3EC03998C3F7AFE3BD6CEB	6C04273A33A6FC4FB04A4A04B5DF893671BC02E27DE0914B4085D317CBC43E40
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	BB2FB06FDC82A0A5EC292C2B3424EE3C	702F55BE6461ED14909FC34B43945C391CD6D7EA	9FB5FC77BA06C12044353AE672618AF9A2495C9A0F4DA701435633C385FAA7D6
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkdrzkk4.prl.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwpywpgg.guy.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phlhqcc5.izb.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y133hkv3.ire.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	DD1600E6BC9644BE633773802C80FBBD	DED10AA5D0C4A1CB6B1C01DB97FB2E646C0B535D	28E05ACF4033B0691A2874F4D6793C11E5431B953A2D9826BBE6E7A79CCB8652

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Malware Threat Intel
Provided by