Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Analysis ID:	1519365
MD5:	3e2ea8c3f5ca13f16f8ca1c85087f6b6
SHA1:	bc8727f0e142e331b34f01d2dc483da61b24db6b
SHA256:	3e0693e5ed5ef3326bd7f6e54db8adc71e28540c2c3e2a60cbf8d1bdb0ff41f3
Tags:	exe
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe (PID: 7952 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe" MD5: 3E2EA8C3F5CA13F16F8CA1C85087F6B6)

powershell.exe (PID: 8124 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7720 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe (PID: 8140 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe" MD5: 3E2EA8C3F5CA13F16F8CA1C85087F6B6)

SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe (PID: 8164 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe" MD5: 3E2EA8C3F5CA13F16F8CA1C85087F6B6)

WerFault.exe (PID: 5760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 1524 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@  ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@  ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e434:$a1: get_encryptedPassword 0x2e9bc:$a2: get_encryptedUsername 0x2e0a7:$a3: get_timePasswordChanged 0x2e1be:$a4: get_passwordField 0x2e44a:$a5: set_encryptedPassword 0x31173:$a6: get_passwords 0x31507:$a7: get_logins 0x3115f:$a8: GetOutlookPasswords 0x30b18:$a9: StartKeylogger 0x31460:$a10: KeyLoggerEventArgs 0x30bb8:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbf794:$a1: get_encryptedPassword 0x102fb4:$a1: get_encryptedPassword 0x25aed4:$a1: get_encryptedPassword 0xbfd1c:$a2: get_encryptedUsername 0x10353c:$a2: get_encryptedUsername 0x25b45c:$a2: get_encryptedUsername 0xbf407:$a3: get_timePasswordChanged 0x102c27:$a3: get_timePasswordChanged 0x25ab47:$a3: get_timePasswordChanged 0xbf51e:$a4: get_passwordField 0x102d3e:$a4: get_passwordField 0x25ac5e:$a4: get_passwordField 0xbf7aa:$a5: set_encryptedPassword 0x102fca:$a5: set_encryptedPassword 0x25aeea:$a5: set_encryptedPassword 0xc24d3:$a6: get_passwords 0x105cf3:$a6: get_passwords 0x25dc13:$a6: get_passwords 0xc2867:$a7: get_logins 0x106087:$a7: get_logins 0x25dfa7:$a7: get_logins
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x58218:$a1: get_encryptedPassword 0x58796:$a2: get_encryptedUsername 0x57e9a:$a3: get_timePasswordChanged 0x57fb1:$a4: get_passwordField 0x5822e:$a5: set_encryptedPassword 0x5aeff:$a6: get_passwords 0x5b28f:$a7: get_logins 0x5aeeb:$a8: GetOutlookPasswords 0x5a8a4:$a9: StartKeylogger 0x5b1e8:$a10: KeyLoggerEventArgs 0x5a944:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 8164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 8164	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 8164	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 8164	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a327:$a1: get_encryptedPassword 0x1a8a5:$a2: get_encryptedUsername 0x19fa9:$a3: get_timePasswordChanged 0x1a0c0:$a4: get_passwordField 0x1a33d:$a5: set_encryptedPassword 0x1d00e:$a6: get_passwords 0x1d39e:$a7: get_logins 0x1cffa:$a8: GetOutlookPasswords 0x1c9b3:$a9: StartKeylogger 0x1d2f7:$a10: KeyLoggerEventArgs 0x1ca53:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c834:$a1: get_encryptedPassword 0x2cdbc:$a2: get_encryptedUsername 0x2c4a7:$a3: get_timePasswordChanged 0x2c5be:$a4: get_passwordField 0x2c84a:$a5: set_encryptedPassword 0x2f573:$a6: get_passwords 0x2f907:$a7: get_logins 0x2f55f:$a8: GetOutlookPasswords 0x2ef18:$a9: StartKeylogger 0x2f860:$a10: KeyLoggerEventArgs 0x2efb8:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39e76:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39519:$a3: \Google\Chrome\User Data\Default\Login Data 0x39776:$a4: \Orbitum\User Data\Default\Login Data 0x3a155:$a5: \Kometa\User Data\Default\Login Data
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2dbf8:$s1: UnHook 0x2dbff:$s2: SetHook 0x2dc07:$s3: CallNextHook 0x2dc14:$s4: _hook
6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e634:$a1: get_encryptedPassword 0x2ebbc:$a2: get_encryptedUsername 0x2e2a7:$a3: get_timePasswordChanged 0x2e3be:$a4: get_passwordField 0x2e64a:$a5: set_encryptedPassword 0x31373:$a6: get_passwords 0x31707:$a7: get_logins 0x3135f:$a8: GetOutlookPasswords 0x30d18:$a9: StartKeylogger 0x31660:$a10: KeyLoggerEventArgs 0x30db8:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bc76:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b319:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b576:$a4: \Orbitum\User Data\Default\Login Data 0x3bf55:$a5: \Kometa\User Data\Default\Login Data
6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f9f8:$s1: UnHook 0x2f9ff:$s2: SetHook 0x2fa07:$s3: CallNextHook 0x2fa14:$s4: _hook
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c834:$a1: get_encryptedPassword 0x2cdbc:$a2: get_encryptedUsername 0x2c4a7:$a3: get_timePasswordChanged 0x2c5be:$a4: get_passwordField 0x2c84a:$a5: set_encryptedPassword 0x2f573:$a6: get_passwords 0x2f907:$a7: get_logins 0x2f55f:$a8: GetOutlookPasswords 0x2ef18:$a9: StartKeylogger 0x2f860:$a10: KeyLoggerEventArgs 0x2efb8:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39e76:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39519:$a3: \Google\Chrome\User Data\Default\Login Data 0x39776:$a4: \Orbitum\User Data\Default\Login Data 0x3a155:$a5: \Kometa\User Data\Default\Login Data
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2dbf8:$s1: UnHook 0x2dbff:$s2: SetHook 0x2dc07:$s3: CallNextHook 0x2dc14:$s4: _hook
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e634:$a1: get_encryptedPassword 0x2ebbc:$a2: get_encryptedUsername 0x2e2a7:$a3: get_timePasswordChanged 0x2e3be:$a4: get_passwordField 0x2e64a:$a5: set_encryptedPassword 0x31373:$a6: get_passwords 0x31707:$a7: get_logins 0x3135f:$a8: GetOutlookPasswords 0x30d18:$a9: StartKeylogger 0x31660:$a10: KeyLoggerEventArgs 0x30db8:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f9f8:$s1: UnHook 0x2f9ff:$s2: SetHook 0x2fa07:$s3: CallNextHook 0x2fa14:$s4: _hook
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e634:$a1: get_encryptedPassword 0x71e54:$a1: get_encryptedPassword 0x1c9d74:$a1: get_encryptedPassword 0x2ebbc:$a2: get_encryptedUsername 0x723dc:$a2: get_encryptedUsername 0x1ca2fc:$a2: get_encryptedUsername 0x2e2a7:$a3: get_timePasswordChanged 0x71ac7:$a3: get_timePasswordChanged 0x1c99e7:$a3: get_timePasswordChanged 0x2e3be:$a4: get_passwordField 0x71bde:$a4: get_passwordField 0x1c9afe:$a4: get_passwordField 0x2e64a:$a5: set_encryptedPassword 0x71e6a:$a5: set_encryptedPassword 0x1c9d8a:$a5: set_encryptedPassword 0x31373:$a6: get_passwords 0x74b93:$a6: get_passwords 0x1ccab3:$a6: get_passwords 0x31707:$a7: get_logins 0x74f27:$a7: get_logins 0x1cce47:$a7: get_logins
0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f9f8:$s1: UnHook 0x73218:$s1: UnHook 0x1cb138:$s1: UnHook 0x2f9ff:$s2: SetHook 0x7321f:$s2: SetHook 0x1cb13f:$s2: SetHook 0x2fa07:$s3: CallNextHook 0x73227:$s3: CallNextHook 0x1cb147:$s3: CallNextHook 0x2fa14:$s4: _hook 0x73234:$s4: _hook 0x1cb154:$s4: _hook
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, ParentProcessId: 7952, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe", ProcessId: 8124, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, ParentProcessId: 7952, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe", ProcessId: 8124, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.PDB source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457738181.0000000001337000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbn source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbQ source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: %%.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457738181.0000000001337000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb* source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdba source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdb<T6 source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.PDBJ source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdbH source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3ACB.tmp.dmp.10.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 4x nop then jmp 06FA5375h	0_2_06FA4F28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 4x nop then jmp 06FA5375h	0_2_06FA48E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 4x nop then jmp 06FA5375h	0_2_06FA49FA

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

IP Address: 158.101.44.242 158.101.44.242

Source: unknown

DNS query: name: checkip.dyndns.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: checkip.dyndns.org

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003400000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1373260181.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013CDA4C	0_2_013CDA4C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA6F98	0_2_06FA6F98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA24D0	0_2_06FA24D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA24C0	0_2_06FA24C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA0478	0_2_06FA0478
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA1B20	0_2_06FA1B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA0040	0_2_06FA0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_06FA0006	0_2_06FA0006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_078191B0	0_2_078191B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_0781CF28	0_2_0781CF28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_07817710	0_2_07817710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_07817720	0_2_07817720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_0781CF17	0_2_0781CF17
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_0781FA88	0_2_0781FA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_0781FAA8	0_2_0781FAA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 6_2_017C394B	6_2_017C394B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 6_2_017C3E09	6_2_017C3E09

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 1524

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000000.1349778814.0000000000A1E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSEhZ.exe0 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1373260181.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1377816076.0000000007290000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1373260181.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1362709774.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000446000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Binary or memory string: OriginalFilenameSEhZ.exe0 vs SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, UYIMtqoPLcKSuPT8Sm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, UYIMtqoPLcKSuPT8Sm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/11@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwpywpgg.guy.ps1

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 1524
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.PDB source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457738181.0000000001337000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbn source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbQ source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: %%.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457738181.0000000001337000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb* source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdba source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdb<T6 source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.PDBJ source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdbH source: WER3ACB.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3ACB.tmp.dmp.10.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	.Net Code: Y0SUwLXjc4 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	.Net Code: Y0SUwLXjc4 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2db5b4c.0.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7ef0000.8.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2dbf164.2.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2e0fccc.3.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2e066b4.1.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C4779 push ebp; iretd	0_2_013C477A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C477B push ebp; iretd	0_2_013C4782
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C47B1 push esi; iretd	0_2_013C47B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C4659 push edx; iretd	0_2_013C465A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C465B push edx; iretd	0_2_013C4662
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C46B9 push edx; iretd	0_2_013C46BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_013C9771 pushfd ; iretd	0_2_013C9772
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Code function: 0_2_0781C5E8 push eax; iretd	0_2_0781C5E9

Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Static PE information: section name: .text entropy: 7.880526514779496

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, B5htBfs6Eq60LvMyWr.cs	High entropy of concatenated method names: 'w57qscG8RD', 'x7YqmqC8Eh', 'ocGqkZwtlW', 'YEOkZu65Z3', 'WuCkzB7aRn', 'PLdqFVe9nq', 'or2qBxUlFK', 'ECFqWpjDeU', 'mh8qrHFT6u', 'u7gqUiT0Rl'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, bmncYvqpj1lkAkdaQY.cs	High entropy of concatenated method names: 'Dispose', 'IcXBCLO8dK', 'OprWH8BmSy', 'qyxVVUCACc', 'rWyBZKWZOd', 'ca6BzUmIwp', 'ProcessDialogKey', 'bvsWFFNFRT', 'pHJWB2uDHa', 'vNdWWWcIPj'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, Kfn4gOm6qJR5uQnJ51.cs	High entropy of concatenated method names: 'Cev1B8FA1K', 'C0x1rEctfk', 'lt51UPv0iK', 'g8U1sCb5y0', 'UpQ1IT9URT', 'PXW1yMqku4', 'qL41kVLh3p', 'DaaPoI8YYe', 'HXwPiaOwJN', 'kIBPCnQAKB'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, cTP0ujQ4unMvfM1Q7j.cs	High entropy of concatenated method names: 'T1tuM2V1Z1', 'tmdu3YGU3n', 'r5juGdGarH', 'fBeuHNSPOs', 'reouhLNGS1', 'Tfuu2pAZ9V', 'OlLuE1IDtm', 'u4wundyhXV', 'LZbufJtWM4', 'qUeupD3qq4'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, pCZRiIVyb8gQ36Jscb.cs	High entropy of concatenated method names: 'Cuaq78BXpo', 'eJfq6HMgjS', 'eoNqwvC5rd', 'n9yqNy8V1U', 'D6pqacncpB', 'L0hqgFOoqt', 'dNsqt7eiIE', 'XZWqMtoxh1', 'kC0q3op3cR', 'mYHqYYn5rP'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, cwSp48wlWmdkLMUbRn.cs	High entropy of concatenated method names: 'YEXQiOCpha', 'TaqQZDtBtO', 'DHuPFXYXjy', 'viIPBQ1KGj', 'cX1QpIeU2M', 'P5VQ8MFB9k', 'sU5QLhT4MT', 'yyFQKj8KlP', 'bLLQDB4jdj', 'z3kQ4fxAmt'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, zgULROdx53FtcVdxrb.cs	High entropy of concatenated method names: 'ljHQAuITy9', 'uQMQOvu2MZ', 'ToString', 'aUcQsRUM9K', 'mpVQIWvX1f', 'qFoQm70Zmc', 'mObQyEmfyW', 'hWRQkbnxa3', 'VjFQqVyDSd', 'W3AQvtY0ew'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, UYIMtqoPLcKSuPT8Sm.cs	High entropy of concatenated method names: 'goMIKEWGeg', 'u26IDOFC3S', 'SnuI4VSAbs', 'LY3ITX53PE', 'xDIIxvDqFd', 'UDZIXBCEAA', 'gpGIoKANAZ', 'oGXIijDnAf', 'fn7ICD14NO', 'SnGIZk8esT'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, og6JZM7vcsSTvWXxUG.cs	High entropy of concatenated method names: 'ERRwaHVGW', 'PWUNOYQMo', 'c53gwwlZD', 'TBcta9ZMg', 'gq33w8AIW', 'y8VYB2MGO', 'Q4IiSUo47JKLSEiFBd', 'tMW6m9FUrVTGaqjil8', 'kfvPKDh1i', 'tmveCGFjw'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, v0c3BnzsGGvxHTnpZq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ebs1uHhiHO', 'Hao1cAbcfb', 'qIQ1bOZDPP', 'LAK1QZBWWy', 'xtq1PwkA1O', 'upK11Rdb9c', 'nFG1eGPsy9'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, EiI4J1gsgEpvMUVeIr.cs	High entropy of concatenated method names: 'AvVPsX52Xk', 'yrFPIWsbO7', 'BAaPmY3Ysn', 'sHgPyxNyah', 'q6NPkkUymK', 'gtWPqQlQJ5', 'lI6Pvd2pri', 'kfCP5aipUr', 'deBPAnUgV8', 'pGJPOgxdv9'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, sstE2rE2FHbpyWHeil.cs	High entropy of concatenated method names: 'QyLmN1trIt', 'bpAmgpjF07', 'rCPmMshCaO', 'wHXm3naUdw', 'mLOmctTHPM', 'Y28mbJCZwg', 'K8AmQI3Vew', 'ua0mPakMIA', 'DZtm1LESoN', 's44menTDNP'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, dVbdYWjrJy6D8mXC3HN.cs	High entropy of concatenated method names: 'V0V17Lrlsa', 'euF16Ff0Ws', 'SJg1wE6CU3', 'ArE1NvZ53S', 'S9o1aHDwXA', 'yhN1gmsQqN', 'gY41tOkoUB', 'i2A1MoedVd', 'K3K13jXEU6', 'njl1Y3ePZB'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, k1ljfRRekjotoW2QGo.cs	High entropy of concatenated method names: 'FH4PGlZaS4', 'xw5PHprckX', 'E6jPd7le3e', 'JfFPh1JS7a', 'sk0PKqpjXb', 'IC5P2h3Fed', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, QnUNhefD2F9UwihjTT.cs	High entropy of concatenated method names: 'efnBqqGBAg', 'uFsBvZt3pj', 'jfNBA97M80', 'lNdBOwyOyj', 'TYwBc7RaWT', 's9gBbTrNPs', 'OT7orF2AP6v02ilR6u', 'j2qM2nWYESVyEb63hP', 'NHOBBsq2Id', 'VatBr5BoRF'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, oQbKyJ809BxJXn8WyT.cs	High entropy of concatenated method names: 'uAkcfwODai', 'NA0c8UgXma', 'ceTcKs6tNl', 'VyicDsKdUH', 'COlcHigPv8', 'UDvcdL9lZC', 'FSmchVySOJ', 'lL0c2ICxRt', 'EMucSwlaBF', 'UdGcEhr5Ib'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, cbW82iCn8DJ8wSMm2p.cs	High entropy of concatenated method names: 'SffkjgIaHA', 'oGNkI1yC23', 'FrwkyIg9rg', 'C09kqjqZWP', 'zKSkv2RVO1', 'ojiyxa0NDh', 'ta1yXA9HnP', 'lipyoDg95t', 'w7yyi3U0mb', 'uf9yCgcbOx'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7290000.7.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	High entropy of concatenated method names: 'U3qrjQn2sV', 'OberstitGJ', 'jcUrI6B4Nf', 'r78rm95Los', 'GNsryCi5JM', 'xOHrkpPH0f', 'k1IrqCk1BV', 'HPnrvB3xHG', 'y8Jr5oG57U', 'natrAMMtBj'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, B5htBfs6Eq60LvMyWr.cs	High entropy of concatenated method names: 'w57qscG8RD', 'x7YqmqC8Eh', 'ocGqkZwtlW', 'YEOkZu65Z3', 'WuCkzB7aRn', 'PLdqFVe9nq', 'or2qBxUlFK', 'ECFqWpjDeU', 'mh8qrHFT6u', 'u7gqUiT0Rl'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, bmncYvqpj1lkAkdaQY.cs	High entropy of concatenated method names: 'Dispose', 'IcXBCLO8dK', 'OprWH8BmSy', 'qyxVVUCACc', 'rWyBZKWZOd', 'ca6BzUmIwp', 'ProcessDialogKey', 'bvsWFFNFRT', 'pHJWB2uDHa', 'vNdWWWcIPj'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, Kfn4gOm6qJR5uQnJ51.cs	High entropy of concatenated method names: 'Cev1B8FA1K', 'C0x1rEctfk', 'lt51UPv0iK', 'g8U1sCb5y0', 'UpQ1IT9URT', 'PXW1yMqku4', 'qL41kVLh3p', 'DaaPoI8YYe', 'HXwPiaOwJN', 'kIBPCnQAKB'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, cTP0ujQ4unMvfM1Q7j.cs	High entropy of concatenated method names: 'T1tuM2V1Z1', 'tmdu3YGU3n', 'r5juGdGarH', 'fBeuHNSPOs', 'reouhLNGS1', 'Tfuu2pAZ9V', 'OlLuE1IDtm', 'u4wundyhXV', 'LZbufJtWM4', 'qUeupD3qq4'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, pCZRiIVyb8gQ36Jscb.cs	High entropy of concatenated method names: 'Cuaq78BXpo', 'eJfq6HMgjS', 'eoNqwvC5rd', 'n9yqNy8V1U', 'D6pqacncpB', 'L0hqgFOoqt', 'dNsqt7eiIE', 'XZWqMtoxh1', 'kC0q3op3cR', 'mYHqYYn5rP'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, cwSp48wlWmdkLMUbRn.cs	High entropy of concatenated method names: 'YEXQiOCpha', 'TaqQZDtBtO', 'DHuPFXYXjy', 'viIPBQ1KGj', 'cX1QpIeU2M', 'P5VQ8MFB9k', 'sU5QLhT4MT', 'yyFQKj8KlP', 'bLLQDB4jdj', 'z3kQ4fxAmt'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, zgULROdx53FtcVdxrb.cs	High entropy of concatenated method names: 'ljHQAuITy9', 'uQMQOvu2MZ', 'ToString', 'aUcQsRUM9K', 'mpVQIWvX1f', 'qFoQm70Zmc', 'mObQyEmfyW', 'hWRQkbnxa3', 'VjFQqVyDSd', 'W3AQvtY0ew'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, UYIMtqoPLcKSuPT8Sm.cs	High entropy of concatenated method names: 'goMIKEWGeg', 'u26IDOFC3S', 'SnuI4VSAbs', 'LY3ITX53PE', 'xDIIxvDqFd', 'UDZIXBCEAA', 'gpGIoKANAZ', 'oGXIijDnAf', 'fn7ICD14NO', 'SnGIZk8esT'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, og6JZM7vcsSTvWXxUG.cs	High entropy of concatenated method names: 'ERRwaHVGW', 'PWUNOYQMo', 'c53gwwlZD', 'TBcta9ZMg', 'gq33w8AIW', 'y8VYB2MGO', 'Q4IiSUo47JKLSEiFBd', 'tMW6m9FUrVTGaqjil8', 'kfvPKDh1i', 'tmveCGFjw'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, v0c3BnzsGGvxHTnpZq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ebs1uHhiHO', 'Hao1cAbcfb', 'qIQ1bOZDPP', 'LAK1QZBWWy', 'xtq1PwkA1O', 'upK11Rdb9c', 'nFG1eGPsy9'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, EiI4J1gsgEpvMUVeIr.cs	High entropy of concatenated method names: 'AvVPsX52Xk', 'yrFPIWsbO7', 'BAaPmY3Ysn', 'sHgPyxNyah', 'q6NPkkUymK', 'gtWPqQlQJ5', 'lI6Pvd2pri', 'kfCP5aipUr', 'deBPAnUgV8', 'pGJPOgxdv9'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, sstE2rE2FHbpyWHeil.cs	High entropy of concatenated method names: 'QyLmN1trIt', 'bpAmgpjF07', 'rCPmMshCaO', 'wHXm3naUdw', 'mLOmctTHPM', 'Y28mbJCZwg', 'K8AmQI3Vew', 'ua0mPakMIA', 'DZtm1LESoN', 's44menTDNP'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, dVbdYWjrJy6D8mXC3HN.cs	High entropy of concatenated method names: 'V0V17Lrlsa', 'euF16Ff0Ws', 'SJg1wE6CU3', 'ArE1NvZ53S', 'S9o1aHDwXA', 'yhN1gmsQqN', 'gY41tOkoUB', 'i2A1MoedVd', 'K3K13jXEU6', 'njl1Y3ePZB'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, k1ljfRRekjotoW2QGo.cs	High entropy of concatenated method names: 'FH4PGlZaS4', 'xw5PHprckX', 'E6jPd7le3e', 'JfFPh1JS7a', 'sk0PKqpjXb', 'IC5P2h3Fed', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, QnUNhefD2F9UwihjTT.cs	High entropy of concatenated method names: 'efnBqqGBAg', 'uFsBvZt3pj', 'jfNBA97M80', 'lNdBOwyOyj', 'TYwBc7RaWT', 's9gBbTrNPs', 'OT7orF2AP6v02ilR6u', 'j2qM2nWYESVyEb63hP', 'NHOBBsq2Id', 'VatBr5BoRF'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, oQbKyJ809BxJXn8WyT.cs	High entropy of concatenated method names: 'uAkcfwODai', 'NA0c8UgXma', 'ceTcKs6tNl', 'VyicDsKdUH', 'COlcHigPv8', 'UDvcdL9lZC', 'FSmchVySOJ', 'lL0c2ICxRt', 'EMucSwlaBF', 'UdGcEhr5Ib'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, cbW82iCn8DJ8wSMm2p.cs	High entropy of concatenated method names: 'SffkjgIaHA', 'oGNkI1yC23', 'FrwkyIg9rg', 'C09kqjqZWP', 'zKSkv2RVO1', 'ojiyxa0NDh', 'ta1yXA9HnP', 'lipyoDg95t', 'w7yyi3U0mb', 'uf9yCgcbOx'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.403acc0.6.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	High entropy of concatenated method names: 'U3qrjQn2sV', 'OberstitGJ', 'jcUrI6B4Nf', 'r78rm95Los', 'GNsryCi5JM', 'xOHrkpPH0f', 'k1IrqCk1BV', 'HPnrvB3xHG', 'y8Jr5oG57U', 'natrAMMtBj'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2db5b4c.0.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.7ef0000.8.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2dbf164.2.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2e0fccc.3.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.2e066b4.1.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 1380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 2D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 4D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 8000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 9000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 91C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: A1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6382			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3279			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe TID: 7972	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -6456360425798339s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1458226383.00000000015D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 8164, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 8164, type: MEMORYSTR

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 8164, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 8164, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3fb58a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.3e1a160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe PID: 8164, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 Input Capture	21 Security Software Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX
SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
http://upx.sf.net	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checkip.dyndns.com	158.101.44.242	true	false		unknown
checkip.dyndns.org	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://aborters.duckdns.org:8081	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://upx.sf.net	Amcache.hve.10.dr	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003400000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003400000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1373260181.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://varders.kozow.com:8081	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519365
Start date and time:	2024-09-26 12:22:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/11@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 145 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe, PID 8164 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Simulations

Behavior and APIs

Time	Type	Description
06:23:18	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe modified
06:23:20	API Interceptor	11x Sleep call for process: powershell.exe modified
06:23:28	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
158.101.44.242	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Pedido de GmbH.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	TT copy for SO-2409-032.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	invoice.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	http://ec44d1ee.freyy.pages.dev/Zimbra%20Web%20Client%20Sign%20In/	Get hash	malicious	Unknown	Browse	147.154.16.196

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_f328b3eaafa9c91d9bd94872426a6bfa15601ef3_be39743d_62ab06af-1377-4cda-9754-2f756f7c2d73\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1177012867317961
Encrypted:	false
SSDEEP:	192:lps11PC7EgT0BU/qa6ce36izuiFXZ24IO8+:lefOEgABU/qarVizuiFXY4IO8+
MD5:	3031A53B6854DE584199A8986AE76AC5
SHA1:	78BDD1700BA8E6D5FD4B8F4AE16ABFE4E508E495
SHA-256:	ED14F710EB5AFAF07128529CB622B66F6CE56731182E050C34331D93B90CDCEE
SHA-512:	659B5B01BD7E63512DD730634A88E76EF7C168C0ED4F46BDCB866E69599E9632E69B83CA2369AA0B28E0EDCFCB53632E058BE869FF23321742A208594DC7DEB4
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.8.1.9.8.0.3.6.0.1.8.6.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.8.1.9.8.0.4.2.8.9.3.5.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.a.b.0.6.a.f.-.1.3.7.7.-.4.c.d.a.-.9.7.5.4.-.2.f.7.5.6.f.7.c.2.d.7.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.7.1.7.d.6.6.-.1.7.2.0.-.4.1.3.f.-.b.b.0.6.-.6.4.6.0.c.c.a.1.6.5.1.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...C.r.y.p.t.e.r.X.-.g.e.n...6.8.7.9...1.1.9.4.3...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.E.h.Z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.e.4.-.0.0.0.1.-.0.0.1.3.-.4.b.a.7.-.4.9.1.b.f.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.7.c.8.8.4.1.b.2.b.f.d.9.c.4.5.c.2.0.8.2.1.b.1.b.f.e.f.e.a.2.8.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3ACB.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Sep 26 10:23:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	270326
Entropy (8bit):	3.7595851579175728
Encrypted:	false
SSDEEP:	3072:pgoerLQgJF3k584uEqvGyoLTg/fm4xiUbNCUA:p6rLjJZi84jyeTgHmkiUbA
MD5:	81D99FD62476D67F973D8DB4805E7C2F
SHA1:	B9967BC643AB1BB942FE724CF83F11121E88D413
SHA-256:	4CEFA954269C7C53887E830E224E221D4329B774495C4CB8FFF39A89075CE234
SHA-512:	933BCBDAE60D07E8C4B17DC6E9BF10E27F09A9F8334C8D89A1A4373D1385383C372D792ED8E7479B56B3E0CFA2C5A9EF65E0DB8B06E59AC612DC53B9104DC8FC
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........6.f............D...............X.......<....#.......%...S..........`.......8...........T............;..^...........,$...........&..............................................................................eJ.......&......GenuineIntel............T............6.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C81.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6458
Entropy (8bit):	3.7287344126507156
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetb8F6/EYR4xuQE/rbe5aM4U189bF/sfY3wGm:R6l7wVeJ8F6MYR40qpr189bF/sfQ3m
MD5:	AA8BBB04BCC57BA1F3464CCE6B4BEE7A
SHA1:	B3860E442750D4E69FA5BF9F3E981B20DFB5A9D6
SHA-256:	F402CE283BF3B9A13B5CDB8266F478B236D9EA63AE5A496455E0053EA3A66643
SHA-512:	E07B742C7DEA96B01A386539F00CBDEC5E099BE9D7F1CE4991181FCB712DDE95D6AA5B0B1C566EEB37DB7DF8D01E351AA972892AB3ACA1F1C020D788C95167C3
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CB1.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4834
Entropy (8bit):	4.567127356829371
Encrypted:	false
SSDEEP:	48:cvIwWl8zs9Jg77aI9B+WpW8VYjbYm8M4JPBHjF1i+q80uD0h5j5eod:uIjfXI73/7VrJUcc9/d
MD5:	0FC3E39D0B4265AA090CE229A2658680
SHA1:	9B1BE27102C63F0A2D3EC03998C3F7AFE3BD6CEB
SHA-256:	6C04273A33A6FC4FB04A4A04B5DF893671BC02E27DE0914B4085D317CBC43E40
SHA-512:	25E45EF6AC0EB803A1B94A5E39ABD9EC722F6A87C6AA4BE8D7622D440D724D546A8D64941A33B3AFBEF3551AA2DBB8AD2EC68CD00AF0B8DEED96C83B3DDD1A91
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="517046" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380046556058007
Encrypted:	false
SSDEEP:	48:tWSU4xympx4RfoUP7gZ9tK8NPZHUx7u1iMuge//ZSUyus:tLHxv/IwLZ2KRH6Oug0s
MD5:	BB2FB06FDC82A0A5EC292C2B3424EE3C
SHA1:	702F55BE6461ED14909FC34B43945C391CD6D7EA
SHA-256:	9FB5FC77BA06C12044353AE672618AF9A2495C9A0F4DA701435633C385FAA7D6
SHA-512:	68470C96EE47E457435EB91D43E536A2E13E8536410CEA2E476AC6DD930FFC3404035857773150EA9D5AAF18D1765DE65255487DC5BF4C2D1D1A094225E517ED
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkdrzkk4.prl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwpywpgg.guy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phlhqcc5.izb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y133hkv3.ire.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.295989902752766
Encrypted:	false
SSDEEP:	6144:Z41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+YFmBMZJh1VjM:O1/YCW2AoQ0NieFwMHrVY
MD5:	DD1600E6BC9644BE633773802C80FBBD
SHA1:	DED10AA5D0C4A1CB6B1C01DB97FB2E646C0B535D
SHA-256:	28E05ACF4033B0691A2874F4D6793C11E5431B953A2D9826BBE6E7A79CCB8652
SHA-512:	54A0E89AE502C7B771FD0158A6241266B5F3C2B499F7226BF44CBE88D97AC19EC437B4ABDFD6B2E0AB7F5C397BB0F1F3308539AC68DD173FF4C1108874FED353
Malicious:	false
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.U...................................................................................................................................................................................................................................................................................................................................................P.)........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.874129511837346
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
File size:	708'096 bytes
MD5:	3e2ea8c3f5ca13f16f8ca1c85087f6b6
SHA1:	bc8727f0e142e331b34f01d2dc483da61b24db6b
SHA256:	3e0693e5ed5ef3326bd7f6e54db8adc71e28540c2c3e2a60cbf8d1bdb0ff41f3
SHA512:	343f33714fb819a3765a3b440e331057500ea17bd535fe02079222843c34f58a03fa17510ea091fc26db63cba8f4904724733afc8eea89672473bdcdbb354a10
SSDEEP:	12288:9Ok++Z4CujQ9TPfriopH5dvXVqml8rukCDWyFqAN6ukRLEdtTJx:9Ok++feQ9TPfrzpHPQ7r8yyQAwJg
TLSH:	1FE412982566CA07C4961BB81621F2BA53F86EDD9623C7179FDE3DEFB4A5B0006013D3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......$........... ........@.. .......................@............@................................

File Icon


Icon Hash:	1e77fe7273f0311e

Static PE Info

General

Entrypoint:	0x4ac69e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F4D6FA [Thu Sep 26 03:37:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac64c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0x20ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaa6a4	0xaa800	d79dfbb9dd0a1e1ecad25e08b80a8a18	False	0.9210287412939883	data	7.880526514779496	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0x20ac	0x2200	10291146a2ed454c96844df8736bf6d4	False	0.8969439338235294	data	7.498264857897663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x200	c5fe2cc634f31cfbc69d9077320da914	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xae0c8	0x1cbb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.996057104010877
RT_GROUP_ICON	0xafd94	0x14	data	1.05
RT_VERSION	0xafdb8	0x2f0	SysEx File - IDP	0.44813829787234044

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 12:23:21.361093998 CEST	49702	80	192.168.2.10	158.101.44.242
Sep 26, 2024 12:23:21.365964890 CEST	80	49702	158.101.44.242	192.168.2.10
Sep 26, 2024 12:23:21.366103888 CEST	49702	80	192.168.2.10	158.101.44.242
Sep 26, 2024 12:23:21.366571903 CEST	49702	80	192.168.2.10	158.101.44.242
Sep 26, 2024 12:23:21.371426105 CEST	80	49702	158.101.44.242	192.168.2.10
Sep 26, 2024 12:23:23.924483061 CEST	80	49702	158.101.44.242	192.168.2.10
Sep 26, 2024 12:23:23.976495981 CEST	49702	80	192.168.2.10	158.101.44.242
Sep 26, 2024 12:23:30.082583904 CEST	49702	80	192.168.2.10	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 12:23:21.336302042 CEST	59152	53	192.168.2.10	1.1.1.1
Sep 26, 2024 12:23:21.344445944 CEST	53	59152	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 12:23:21.336302042 CEST	192.168.2.10	1.1.1.1	0x8cd0	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 12:23:21.344445944 CEST	1.1.1.1	192.168.2.10	0x8cd0	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 12:23:21.344445944 CEST	1.1.1.1	192.168.2.10	0x8cd0	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 12:23:21.344445944 CEST	1.1.1.1	192.168.2.10	0x8cd0	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 12:23:21.344445944 CEST	1.1.1.1	192.168.2.10	0x8cd0	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 12:23:21.344445944 CEST	1.1.1.1	192.168.2.10	0x8cd0	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 12:23:21.344445944 CEST	1.1.1.1	192.168.2.10	0x8cd0	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49702	158.101.44.242	80	8164	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 12:23:21.366571903 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 12:23:23.924483061 CEST	730	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 26 Sep 2024 10:23:23 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 4ca6f059ad05212253347330e0803d60 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	06:23:18
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"
Imagebase:	0x970000
File size:	708'096 bytes
MD5 hash:	3E2EA8C3F5CA13F16F8CA1C85087F6B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1374069454.0000000003D89000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:23:19
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"
Imagebase:	0xc40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:23:19
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:23:19
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"
Imagebase:	0x260000
File size:	708'096 bytes
MD5 hash:	3E2EA8C3F5CA13F16F8CA1C85087F6B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:23:19
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe"
Imagebase:	0xef0000
File size:	708'096 bytes
MD5 hash:	3E2EA8C3F5CA13F16F8CA1C85087F6B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.1457543852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.1459137912.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:23:21
Start date:	26/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6616b0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	06:23:23
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 1524
Imagebase:	0x7e0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	184
Total number of Limit Nodes:	14

Executed Functions

Function 078191B0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6244e5e84f91da28691f14aac777ededc84fd1c911875484b4e3096486f0d8
Instruction ID: 9225ad5f6aa78fdf0bbbc4b0fbe5b4b086a6723796c20808f77d43fcb2901c85
Opcode Fuzzy Hash: 5e6244e5e84f91da28691f14aac777ededc84fd1c911875484b4e3096486f0d8
Instruction Fuzzy Hash: 1071E5B0D0825CCBDB14CFAAC8506EDBBBABF9A304F10E069D419E7255DB346946CF50

Function 0781CF17 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b31555d35b20a1a15b84448c905c340be75fa3851c5ae2aa1dcceedc2dcd4f5
Instruction ID: 5ff79577ac6c1435815dab0ced46180cbea6b069fbe32bc500109906bbb57dd3
Opcode Fuzzy Hash: 0b31555d35b20a1a15b84448c905c340be75fa3851c5ae2aa1dcceedc2dcd4f5
Instruction Fuzzy Hash: 60214CB1D046588BEB18CFA7D9447DEFFF6AF8A304F04C16AC409A6265DB740546CF90

Function 0781CF28 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b334ac18ed950e0e72085a378ffbef4f5fb438f94067072ade5978da956035
Instruction ID: 0095c117ebf98d949fe99cc9fb21b3dfb38e05346c1d24bf58268db6250969e0
Opcode Fuzzy Hash: 25b334ac18ed950e0e72085a378ffbef4f5fb438f94067072ade5978da956035
Instruction Fuzzy Hash: 9B21E5B1D006189BEB18CF9BC9497DEFBFAAFC9300F04C16AD409A6264DB7509458FA0

Function 013CD138 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013CD1B6
GetCurrentThread.KERNEL32 ref: 013CD1F3
GetCurrentProcess.KERNEL32 ref: 013CD230
GetCurrentThreadId.KERNEL32 ref: 013CD289

Memory Dump Source

Source File: 00000000.00000002.1364116377.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13c0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 86e497598e8b6cb19bed9587df37014d2722e89126264ca83e5265e563657694
Instruction ID: 0911db316eb39fe98cc358a0dcfa7c57fb0f38b3c6a3e1b25dccc96bc6605007
Opcode Fuzzy Hash: 86e497598e8b6cb19bed9587df37014d2722e89126264ca83e5265e563657694
Instruction Fuzzy Hash: 4C5145B0D003498FDB54CFA9D588BDEBBF1EF88314F208469E419A7360D774A945CBA5

Function 013CD133 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013CD1B6
GetCurrentThread.KERNEL32 ref: 013CD1F3
GetCurrentProcess.KERNEL32 ref: 013CD230
GetCurrentThreadId.KERNEL32 ref: 013CD289

Memory Dump Source

Source File: 00000000.00000002.1364116377.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13c0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3aea76d2f6987745b09080ab690fc2b55feadc9d5c9d1d637033a23cdc0b072a
Instruction ID: 6f81fd0b7d1fb896eeeca6fcccfda0d72afb13e57b529a79a911e10db15a03d1
Opcode Fuzzy Hash: 3aea76d2f6987745b09080ab690fc2b55feadc9d5c9d1d637033a23cdc0b072a
Instruction Fuzzy Hash: EA5145B0D002498FDB54CFA9D588BDEBBF1EF88314F208469E419A7360D774AD45CBA5

Function 06FA2C44 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FA2E86

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: caa4dceba5cbbb9a19d02fa4670666dc6661ba17902dd8b5de66756be49b60f5
Instruction ID: ea5d36950f37a9a5bc1d3c1868ff32d2088c6a636dca94581b3c877c7f62f645
Opcode Fuzzy Hash: caa4dceba5cbbb9a19d02fa4670666dc6661ba17902dd8b5de66756be49b60f5
Instruction Fuzzy Hash: 1BA17DB1E007199FEB60DF68C840BDDBBB2FF48314F188569E818A7240DB749A85CF91

Function 06FA2C50 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FA2E86

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 46117b25e56651f5de698a3eb2131ab3ea9ccbee26472534cf955686759edee3
Instruction ID: 14f3c32e1bd6894f4e91331b4ccb74107eb251df2435e8b60fb29b22fc1e52b6
Opcode Fuzzy Hash: 46117b25e56651f5de698a3eb2131ab3ea9ccbee26472534cf955686759edee3
Instruction Fuzzy Hash: BC915CB1E007199FEB64DF68C8407DDBBB2FF48314F188569D818A7240DB759A85CF91

Function 013C4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013C59C9

Memory Dump Source

Source File: 00000000.00000002.1364116377.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13c0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c24f49d14b4f9ba53f32e9cde6815e67536d61172338bf08f7d36ec8173aa6da
Instruction ID: 85a7b602855f79d2745661252171f8c8f810a2125195f4d2b6e6d17e09140da6
Opcode Fuzzy Hash: c24f49d14b4f9ba53f32e9cde6815e67536d61172338bf08f7d36ec8173aa6da
Instruction Fuzzy Hash: 6F41B2B0D00719CBEB24CFAAC884BDDBBB5FF49708F20805AD409AB251D7756946CF90

Function 013C590F Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013C59C9

Memory Dump Source

Source File: 00000000.00000002.1364116377.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13c0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9e8b635aac94982a971a6e2427b5bd1508330ba5e4f97c86e261e2b29044080e
Instruction ID: 2cbb58dcb609f2c27420ed640af96c85413f4556b785a9308d9632f4cb80070f
Opcode Fuzzy Hash: 9e8b635aac94982a971a6e2427b5bd1508330ba5e4f97c86e261e2b29044080e
Instruction Fuzzy Hash: D641C470D00719CBEB25CFAAC884BCDBBB5FF49708F24805AD409AB251D7756946CF91

Function 06FA29C0 Relevance: 1.6, APIs: 1, Instructions: 76
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FA2A58

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 34408598d4fb1d2cd4263d6f8763fb7ceacc7295e96d44a3ca7df0079410f957
Instruction ID: 81c54e9c7fe12da4b437ec2c140d6822711095d845099b3592db55f9c7a41190
Opcode Fuzzy Hash: 34408598d4fb1d2cd4263d6f8763fb7ceacc7295e96d44a3ca7df0079410f957
Instruction Fuzzy Hash: AA2128B5D003499FDB10CFA9C985BDEBBF5FF48310F148429E919A7240D7789941CBA1

Function 06FA29C8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FA2A58

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1933c76baee5a708e068182479f006340506ac1235a73075f1aad4cf0b9c3072
Instruction ID: cc72ead382aed54603b6d9732fe249e3bf6449ff777a4ebe2f49d953cb98eeb8
Opcode Fuzzy Hash: 1933c76baee5a708e068182479f006340506ac1235a73075f1aad4cf0b9c3072
Instruction Fuzzy Hash: 812139B5D003499FDB10CFAAC881BDEBBF5FF48310F148429E918A7240D7789941CBA0

Function 06FA23F2 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FA2476

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a5c2322b582b1cdd45f015b89247517a71a4075dc2f4f141d869b37a41d17b42
Instruction ID: fae111daca1aeca161ea8ca6ab783958fed3934303202fa14b29a3188ac75348
Opcode Fuzzy Hash: a5c2322b582b1cdd45f015b89247517a71a4075dc2f4f141d869b37a41d17b42
Instruction Fuzzy Hash: DB213CB5D003098FDB10DFAAC4857EEBBF4FF48224F14842AD459A7241DB789945CFA1

Function 013CD37B Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013CD407

Memory Dump Source

Source File: 00000000.00000002.1364116377.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13c0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eabbe5dc5ddf979bf5d8e80e498915e6a104aa67764766829ec4f2e5c67a887f
Instruction ID: b025617e5d3499cfcc2c979d3edc040cb65a2560b916587a0899c11b421437d1
Opcode Fuzzy Hash: eabbe5dc5ddf979bf5d8e80e498915e6a104aa67764766829ec4f2e5c67a887f
Instruction Fuzzy Hash: 9F2103B59003489FDB10CFAAD484ADEFFF4EB48310F14841AE958A3310D378A945CFA1

Function 06FA2AB0 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FA2B38

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0fa167386173e8e9d6fa38bb8a74424a1140f03bb9c4608491baed5fb79d8b53
Instruction ID: 2c8047ec53cf330c526cfdb818e0c306ac015bc4c378c6a55bcaba14249a0f44
Opcode Fuzzy Hash: 0fa167386173e8e9d6fa38bb8a74424a1140f03bb9c4608491baed5fb79d8b53
Instruction Fuzzy Hash: B02116B1D003499FDB10CFAAC880BEEBBF5FF48320F14892AE519A7250C7789941CB61

Function 06FA2AB8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FA2B38

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2fd30b43d1efbeaacc298ff90bc5dce1dd9b6c03252aa2bd0eb043ac61a206d1
Instruction ID: b83d89cce729b8fba1272d54c250e7aea350fa62806d458fdc025c2a89f9f864
Opcode Fuzzy Hash: 2fd30b43d1efbeaacc298ff90bc5dce1dd9b6c03252aa2bd0eb043ac61a206d1
Instruction Fuzzy Hash: C02105B1D003499FDB10CFAAC880BDEBBF5FF48320F148529E519A7240C7789941CBA1

Function 06FA23F8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FA2476

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 61db5352e90046be2a1d46ab0864315274d8d0a5b0bebc82728d0beba69274f9
Instruction ID: fcb3d19af3723296196573d4d02ad3e92835bbb3e3fbbb380b2b28bdf443222e
Opcode Fuzzy Hash: 61db5352e90046be2a1d46ab0864315274d8d0a5b0bebc82728d0beba69274f9
Instruction Fuzzy Hash: 472107B1D003098FDB10DFAAC4857EEBBF4FF48224F148429D959A7241DB78A945CFA1

Function 013CD380 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013CD407

Memory Dump Source

Source File: 00000000.00000002.1364116377.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13c0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2e005d644307a2b345f4338844683d3973c3df49d76819a3eb3eceea6cc6b512
Instruction ID: 4aa9490b1c417d3afdb61766c89435a79207d5929034984aa4bdb646605d51d7
Opcode Fuzzy Hash: 2e005d644307a2b345f4338844683d3973c3df49d76819a3eb3eceea6cc6b512
Instruction Fuzzy Hash: 3C21E4B59003489FDB10CF9AD484ADEFBF4EB48310F14841AE918A3310D378A944CFA1

Function 06FA2900 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FA2976

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7c5838c70b8d577fd0e2daf3643f9c4f1c5d5a270a8e112325f9c2e5eea7a9a4
Instruction ID: 99051817cbfb2c42369d731115791e2ab39d667aa00ec2db792682d653326e10
Opcode Fuzzy Hash: 7c5838c70b8d577fd0e2daf3643f9c4f1c5d5a270a8e112325f9c2e5eea7a9a4
Instruction Fuzzy Hash: 961147769003489FDB20DFAAC845BDEBBF5EB88320F148419E519A7250CB79A941CFA1

Function 06FA2340 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06FA23AA

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a6ab953388753f67e4e472702d04cef9f79ab0ae84012f01c1cd37d9a5851125
Instruction ID: 57b929bd93c999934530bf60e7ea1b05d700de19a045ec6c0b3da990992d2b8f
Opcode Fuzzy Hash: a6ab953388753f67e4e472702d04cef9f79ab0ae84012f01c1cd37d9a5851125
Instruction Fuzzy Hash: 741188B1D003488FDB20DFAAC8457DEFBF4EF88220F248819D419A7200DB79A945CBA1

Function 06FA2908 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FA2976

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2508d77500e5ad82b5eb059b679c50c745ca286189234b489b1b3d7013894c1d
Instruction ID: 6f697ab3f28024af2c64c80f626f2fc4509994f03a9be808dd345e44348cee12
Opcode Fuzzy Hash: 2508d77500e5ad82b5eb059b679c50c745ca286189234b489b1b3d7013894c1d
Instruction Fuzzy Hash: 23112975D003499FDB20DFAAC844BDEBBF5EF48320F148419D515A7250C779A541CFA1

Function 013CB373 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013CB3DE

Memory Dump Source

Source File: 00000000.00000002.1364116377.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13c0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d14a6150286dec9df5e0dd9913f4bac3e59d9afd99797e129a12ad81b3554dc4
Instruction ID: 895fd92da1224ccc7319af32cdf1996fc48ed1fbf7a084121888d124bde30636
Opcode Fuzzy Hash: d14a6150286dec9df5e0dd9913f4bac3e59d9afd99797e129a12ad81b3554dc4
Instruction Fuzzy Hash: 431104B5D002498FDB20CF9AC445ADEFBF5EF88324F14851AD859A7600C379A546CFA1

Function 06FA2348 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06FA23AA

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ea4e6078ee132347979d1ba630eeb83804c7f3627e4e8f4798eb9d69e18ba4e8
Instruction ID: 601343dc98649255054ad751c70b0541a1c75cf405fc694bab8b619db9d0f9df
Opcode Fuzzy Hash: ea4e6078ee132347979d1ba630eeb83804c7f3627e4e8f4798eb9d69e18ba4e8
Instruction Fuzzy Hash: E71125B1D003488FDB20DFAAC4457DEFBF5EB88224F248819D559A7240CB79A945CBA5

Function 013CB378 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013CB3DE

Memory Dump Source

Source File: 00000000.00000002.1364116377.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13c0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e0b8bb821d0ea7a10ebf7f55d50a0f394f88a77b4724c222bdfd6b5d79b67428
Instruction ID: 7104c8b05450e5ba4dab728efe0ad5ff2cb951ba4da7123a632c6ce30f21efc0
Opcode Fuzzy Hash: e0b8bb821d0ea7a10ebf7f55d50a0f394f88a77b4724c222bdfd6b5d79b67428
Instruction Fuzzy Hash: C311D2B5D002498FDB10CF9AC445ADEFBF4EB88614F10841AD929A7610D379A545CFA5

Function 06FA398C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06FA5965

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c7c7a3196a22a49398d1b839ea0e430014da6f845ae59ca2cad03afcd6f7d72b
Instruction ID: de9aeaa47b65d4c454b8a5f000fe38c5ef8e1e270f8de5ecee251dc4f474a6f2
Opcode Fuzzy Hash: c7c7a3196a22a49398d1b839ea0e430014da6f845ae59ca2cad03afcd6f7d72b
Instruction Fuzzy Hash: 041106B58003489FDB10CF9AC585BDEFBF8EB48320F108419E554A7700D379A944CFA1

Function 06FA5907 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06FA5965

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2d9218ecf548d016bf6f8b90368ffa1d2bc5e53c96e01bf0b914bdc4ca142543
Instruction ID: 8978d20ba5f9cbce03c81aaf3f807078f7db8570eaee759d255dd1ea78da73bc
Opcode Fuzzy Hash: 2d9218ecf548d016bf6f8b90368ffa1d2bc5e53c96e01bf0b914bdc4ca142543
Instruction Fuzzy Hash: 2611E5B58003499FDB20CF9AD985BDEFFF8EB48724F10841AE558A7600D379A944CFA1

Function 0781D8ED Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

r, xrefs: 0781DB65

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 9af60d199a66bcef1b31e0f3277794657b2d8b719f7f15acae9aa807eb2c92d6
Instruction ID: 1d73af90b678f1ac8097bf0a3ce2cf47af12480d68070a0c980c5d143f7fde9e
Opcode Fuzzy Hash: 9af60d199a66bcef1b31e0f3277794657b2d8b719f7f15acae9aa807eb2c92d6
Instruction Fuzzy Hash: 067105B0A18209DBDB04CF69C084AADFBBEFB5E305F50D155D81AE7256C734A981CFA0

Function 0781F3B9 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

``Q, xrefs: 0781F452

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ``Q
API String ID: 0-756908128
Opcode ID: 9e39646b49b09d0b6c100d93f02ba7f4a8d2b92204a4773a40fa8bced37667d1
Instruction ID: 2dfc80becdf5f1f56e574583ec56feb2e65e7ccda04a79ca4cf0ddd5fd12caca
Opcode Fuzzy Hash: 9e39646b49b09d0b6c100d93f02ba7f4a8d2b92204a4773a40fa8bced37667d1
Instruction Fuzzy Hash: B951B1B0A11209CFCB80DF68D989BADBBB9FB49300F2082A9D40AE7355DB349D41CF11

Function 07811BD0 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1052a254e278dcf8ea2c1b6dda4127f209e55d8a9825abffba93850c7790e998
Instruction ID: d013184ac4969fd43c7bd82ddb66be086cd4c1d59b006e2be752cb4704ee5852
Opcode Fuzzy Hash: 1052a254e278dcf8ea2c1b6dda4127f209e55d8a9825abffba93850c7790e998
Instruction Fuzzy Hash: C7E1DE75B1020A8FDB08EFA5E4947AD7BB6FF98304F008469D506EB3A5DB31AD05CB91

Function 0781C268 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3bb7b4a15aaa70791e83a861ef7bf999b2b735f05812551ec799ed1c7b728b
Instruction ID: c23fa9a3d666d74cfd68279d28a7ff86bd648ea31b725235417cf23135a9e503
Opcode Fuzzy Hash: 9e3bb7b4a15aaa70791e83a861ef7bf999b2b735f05812551ec799ed1c7b728b
Instruction Fuzzy Hash: 23B16CB0E65219DFDB04DFA8D884AEDBBBAFF59300F109625D419EB245DB30A845CF90

Function 078183D8 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203e0736a2b9780fb86fc7c1342e675bb3aa98720d3aaffeb93af5b8a343e443
Instruction ID: 6dad476f9dd355cdd583c0a75ac7888fe6967824b9d041a62d408fc7ddba14ac
Opcode Fuzzy Hash: 203e0736a2b9780fb86fc7c1342e675bb3aa98720d3aaffeb93af5b8a343e443
Instruction Fuzzy Hash: 59717FB4D15209CFCB04EFA8E4869FEBBB9FF4A310F149569D445A7354CB349805CB50

Function 0781C050 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be239c7dacce3cb3719884fd70109affc9f5e72e8adabb49a051f8fed7ca348
Instruction ID: c7dd92600d0ac7d821362c56aaf7e61fc1962aac0cbd1d51fd4030d2aa2274fe
Opcode Fuzzy Hash: 4be239c7dacce3cb3719884fd70109affc9f5e72e8adabb49a051f8fed7ca348
Instruction Fuzzy Hash: D561F2B4E54218CFDB08CFE9C884AEDBBBABF9A300F10902AD419AB355DB345945CF50

Function 07814E09 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f87ad766aa857cfebce2b82451db57a198495e3acb458d56344e60083454d14
Instruction ID: 1e8ee043f97ff219c96933f33916e3d5a383ec6aa2d5d4d5fadcfe10c77511a3
Opcode Fuzzy Hash: 0f87ad766aa857cfebce2b82451db57a198495e3acb458d56344e60083454d14
Instruction Fuzzy Hash: CC718C74A11249EFCB14DFA9D884DAEBBB6EF49724B114098F905AB361DB31EC81CF50

Function 07818B40 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0716c4eb9beb693a0509272d741547b583849e734b3fb6790804c636d098c7
Instruction ID: 5c14cfe7823d3473e970a62dc02539af45c1cd26625d50e85930975dacb81341
Opcode Fuzzy Hash: ab0716c4eb9beb693a0509272d741547b583849e734b3fb6790804c636d098c7
Instruction Fuzzy Hash: 8D51F8B4D1520DDFCF04CFA9D485AEDBBBABF9A324F109029E419AB250D7315946CF40

Function 0781C043 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf102426cbc3c0fbbb594e9a859911090db85b39b634d8e2f136f1aee85a523b
Instruction ID: 5969015138409a1293be9f181b59f15b150aeda53eff08f7e0d91a753ab7ff16
Opcode Fuzzy Hash: bf102426cbc3c0fbbb594e9a859911090db85b39b634d8e2f136f1aee85a523b
Instruction Fuzzy Hash: AA5104B4E442598FDB08CFE9C8446EEFBBABF9A300F10812AD419AB355DB745946CF50

Function 07814B78 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642faa670a69ea381743d2b26539fcf7e77da58959265f74baf130320e0d86b5
Instruction ID: 3a06a5c54e4f8d8899c9a1015fdb88fb36943dbf779e81ac16afc3761a778aa6
Opcode Fuzzy Hash: 642faa670a69ea381743d2b26539fcf7e77da58959265f74baf130320e0d86b5
Instruction Fuzzy Hash: C451C070B102058FCB05DBB9D8589BEBBF6EFC5220B158969E459DB391EF309C058B51

Function 0781C7F7 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eac3ea7fda003a94ba74ae670db466a06924e1b2322cf0e1d963ab5b7f97160
Instruction ID: 7f5b00cc640fe08610e4ee6bd3a854b99602d47ff0d70c60866a9e425f6dcc4e
Opcode Fuzzy Hash: 5eac3ea7fda003a94ba74ae670db466a06924e1b2322cf0e1d963ab5b7f97160
Instruction Fuzzy Hash: C2415CB4E092099FDB08CFAAD4846EEBBFAEF8A301F14D02AD409E3651D7344941CB64

Function 078183C9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778835af148e6ffbc370a9ef33d4a0733d4a846a3447315b9f8ede4a385f8c7f
Instruction ID: 546f0130752341e3d6148d67593dfb9146f62ab383c00cb8c0e55fba457ca590
Opcode Fuzzy Hash: 778835af148e6ffbc370a9ef33d4a0733d4a846a3447315b9f8ede4a385f8c7f
Instruction Fuzzy Hash: 48416AB0D1420ACFCB04DFA9D456AFEBBBAFF8A310F149169D406A7351DB349805CB91

Function 07810E38 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef0fe9cb490749da0d76ffca5909cc05c2bc472c54ea34b65063c7beaafc8eb
Instruction ID: cfe71761b4a6270a8e488ab1d015110147ab169d01a9eec66aec6f22f947251e
Opcode Fuzzy Hash: bef0fe9cb490749da0d76ffca5909cc05c2bc472c54ea34b65063c7beaafc8eb
Instruction Fuzzy Hash: E541BE75B101098FDB14DFA9D854BAEBBFAFF88210F154469E509E7390CA31AC45CBA4

Function 0781972C Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4a245fc092cb23e49c332f77264252783853356094cc8eb648b222804414ce
Instruction ID: 6d0a7d530529c7f31ed4d89376e23ba5ee84f26c17ce3208521637b693e3b497
Opcode Fuzzy Hash: dd4a245fc092cb23e49c332f77264252783853356094cc8eb648b222804414ce
Instruction Fuzzy Hash: 1B416AB4D09289DFCB05DFB9C4516ADBFB8AF57304F1484EAC409EB2A2E7349A44CB51

Function 07818708 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71080051ea0f4da80bad74a468f61940e90ddf5b82d44e9989dc0059e85f2fc6
Instruction ID: 05d801959d3fd0e9ff15dfebe97750257b1cc54359dd45fe2ca983193cc650eb
Opcode Fuzzy Hash: 71080051ea0f4da80bad74a468f61940e90ddf5b82d44e9989dc0059e85f2fc6
Instruction Fuzzy Hash: 294114B8E1920DDFCB04CFA9E54A6EDBBBAAB4A310F14942AD816E3341DB345941CF50

Function 07815AA8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc3a7c388d45bfcd0f9bde78a5f91cc1121788691b43db258611a015f69595e
Instruction ID: 60d1cc888938587fe244cbb37866fc9a3a99ca3e164a8ecfa69ad4d8f677ae55
Opcode Fuzzy Hash: bcc3a7c388d45bfcd0f9bde78a5f91cc1121788691b43db258611a015f69595e
Instruction Fuzzy Hash: DC41F875B002198FDB14EFA8C894BDDB7B5BF98714F114069E905EB3A1DB39AC01CBA0

Function 07810268 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8dac36f8e1d85cb64da66a47b9781a88b0578d9ce42efc2aa9aa97475d8d528
Instruction ID: 2d8001d7fdf53677fecd023aa77a11b58e34e587d8f59af4c92c89a12d41ea43
Opcode Fuzzy Hash: a8dac36f8e1d85cb64da66a47b9781a88b0578d9ce42efc2aa9aa97475d8d528
Instruction Fuzzy Hash: 2941A035A103068BEB00EF68D84439A73B6BF96714F558535DC0C7F385DBB5388A8BA1

Function 07810258 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c0e0c3a0116f66d743a08cbad76e41179343c5bead9e8aa2ddaa159e3e6968
Instruction ID: 24ca7ba2460d71cf6fbea6a7230b95535a4c048d1dbbc52601417337b8bfec0e
Opcode Fuzzy Hash: 66c0e0c3a0116f66d743a08cbad76e41179343c5bead9e8aa2ddaa159e3e6968
Instruction Fuzzy Hash: 52419E36A107029BEB00EF68D84039A73B6AF96714F158575DC0C7F346DBB5788A8BA1

Function 07817244 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6b9e0f122f03b19518b150771856a04d96267b437562c19c4d53e5b3283171
Instruction ID: d0213bcf34e731c59e5fe5cfa12a519fdae7bf5fcd175a682d700ccb0d3a5ec5
Opcode Fuzzy Hash: bb6b9e0f122f03b19518b150771856a04d96267b437562c19c4d53e5b3283171
Instruction Fuzzy Hash: DF316BB1900349AFCB14DFA9D845ADEBFF9EB49320F10842AE909E7210D774A944CFA1

Function 07812DF0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28910e29120123884a1fc38cc0e1994686dabb6c8a209a13bdc10797a2975cf0
Instruction ID: 851be456eee150897bc28b60f6b8b7dcd944b055dc1c00b06b438abce3160407
Opcode Fuzzy Hash: 28910e29120123884a1fc38cc0e1994686dabb6c8a209a13bdc10797a2975cf0
Instruction Fuzzy Hash: 073181B57201158FD718DF28C858BAE77EAFF99714F1440BAE106DB3A2CA75EC018B91

Function 0781F38D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651c219b24884abb529589c7bf07a4a8b270f884c00f0cd0189046ec31953401
Instruction ID: 55741b775a7ca90cd4720a8edded40a3e0c974004c5ced81274e2a87071fb98c
Opcode Fuzzy Hash: 651c219b24884abb529589c7bf07a4a8b270f884c00f0cd0189046ec31953401
Instruction Fuzzy Hash: FA418CB591520ACFCB80DFA8E589BADBBB9FB49304F20D655D009EB359DB349941CF10

Function 07811BC0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d331e25a306023aa8bcd776bb4c4d3b84fde9e9a3e3f9813a98d3c78539d7b4e
Instruction ID: 9c5a1d0aafbd0b407d58e0ecd4d1eb8f3da2289eebc3d85c16f87393c83e504b
Opcode Fuzzy Hash: d331e25a306023aa8bcd776bb4c4d3b84fde9e9a3e3f9813a98d3c78539d7b4e
Instruction Fuzzy Hash: 8C3131B5A1020A9FCB149B78D4586AEBBBBFFA9314F554058E002DB394DFB09C45CB80

Function 078134A0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24c2b8de366a57eb72ff8d890b91bf4455d99e95443c5e3a7980bc67b71752c
Instruction ID: b8f809540bf330dc68381962cdadc245a27aa2ef74d69d9fd1000ee97376d935
Opcode Fuzzy Hash: f24c2b8de366a57eb72ff8d890b91bf4455d99e95443c5e3a7980bc67b71752c
Instruction Fuzzy Hash: 09313232C10B0A9ECB01AF78C8544D9FBB1FF95350B118B5AE9596B221FB30E6D5CB80

Function 0781D933 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6854520ac28262b141149cc5228b8574d66123a59df810a19e1742d6c6804313
Instruction ID: 64a7898a14f8ca11526c60f613c400ec48c074ec0198528b6ff3f78b3414d8b8
Opcode Fuzzy Hash: 6854520ac28262b141149cc5228b8574d66123a59df810a19e1742d6c6804313
Instruction Fuzzy Hash: 9C2118B1E19218DFCB08CF6AC4446EDBBFABB9E301F10806AD406E7251D7349901CFA0

Function 07812610 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53af517047c2f900e89cac6cb0d7d5c5d744abcf2371385a50cebc2d6c4948b4
Instruction ID: 8d7ab65c51e2511562767bac86120377566e5d7a57f01237ec3ccd635b305a1e
Opcode Fuzzy Hash: 53af517047c2f900e89cac6cb0d7d5c5d744abcf2371385a50cebc2d6c4948b4
Instruction Fuzzy Hash: F0212A75B101098FDB14DF69C498AAEBBF6FF89310F5544A9D409E73A1CA31AC45CB60

Function 07815D61 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d20e8abd46f9236d56634b2692a4c775b5c85834e81194a2e90681fa06db3f
Instruction ID: 41f92411182e7e10f7100905e761711eb87793f49ec6c02c06caf36dd1f76a1b
Opcode Fuzzy Hash: 11d20e8abd46f9236d56634b2692a4c775b5c85834e81194a2e90681fa06db3f
Instruction Fuzzy Hash: D92159703102118FDB299B38D858A6977F9AF96A14B2584AED406CB3B1DBB2DC46CB50

Function 012ED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363438681.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9d580e119134a9dc3ddef5e0b3a1ce2fdbfc830a8dabd9415547e36b907448
Instruction ID: 4f0a471487c75325071480d0ef7d0a91967349cdbdb3e02a5e42e2c7ee25b8eb
Opcode Fuzzy Hash: 8d9d580e119134a9dc3ddef5e0b3a1ce2fdbfc830a8dabd9415547e36b907448
Instruction Fuzzy Hash: A9214572510348DFDB16DF54E9C4F26BFA1FB88318F60C569E9090B256C336D446CBA2

Function 012ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363438681.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3737ce252ecb7a64b105e53d6906dece9918382270af905bdcbd37129355a0c7
Instruction ID: 1bfe922a7b5df1104d597a64e795994b07ecf2b637a7389d2d522adc73a06ece
Opcode Fuzzy Hash: 3737ce252ecb7a64b105e53d6906dece9918382270af905bdcbd37129355a0c7
Instruction Fuzzy Hash: C6217575110308DFDB05DF84C9C8F56BBA5FBA8320F60C168E9090B206C33AE846CBA2

Function 078134B0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b7cd9db23a5f6d8b2d59dd605a5ffd70c55ac14fdeef817c7dff205a0923e5
Instruction ID: 3471c43b5b5e1b2e60b3b1938c0407dddcef66cfe3874ca386d97182e6f39c8e
Opcode Fuzzy Hash: b4b7cd9db23a5f6d8b2d59dd605a5ffd70c55ac14fdeef817c7dff205a0923e5
Instruction Fuzzy Hash: BA31F132D10B0ADECB01AF78C854499F7B1FF95350B119B5AE95967221FB30E695CB80

Function 07813301 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf138787cab9ee5354864e45c6c372a056c5ed3871788a9d546d821b66eee10
Instruction ID: bc1b8b8553e8eaba286aed8f2c42071cac0298ac5ed31010e19e48237f752106
Opcode Fuzzy Hash: 3bf138787cab9ee5354864e45c6c372a056c5ed3871788a9d546d821b66eee10
Instruction Fuzzy Hash: 182124313102128BEB04A76DE45472F3BEBEBE8B18F14042DE142D77DACDA2BC424391

Function 07810F78 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735381615c7dfc3f395a0f558a6a163ee70d29ff0d8d9c8eb239d4b8a7ad7808
Instruction ID: dd7cd8b70ad7fb3de64bd461fb3f004022bad18f650b8bfaca4dc2b377d248a6
Opcode Fuzzy Hash: 735381615c7dfc3f395a0f558a6a163ee70d29ff0d8d9c8eb239d4b8a7ad7808
Instruction Fuzzy Hash: 2A2158B67002159FCB24DE19D480E6AB3FEFF98A60F01842EE606C7B50CB72EC418B51

Function 07815D70 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b518a28c09e55e3e69de93076792b7f2975ed3c6a439a54f4d53ef52cc2e92d7
Instruction ID: 96c53e8f5d56f5733a8f32083d1583640b8d0ee6aceada849e49018f54ea9f65
Opcode Fuzzy Hash: b518a28c09e55e3e69de93076792b7f2975ed3c6a439a54f4d53ef52cc2e92d7
Instruction Fuzzy Hash: 092129743102118FCB18AF39D458A2A73FAAFD5A15B21846DD506CB3A4EBB2EC42CB50

Function 012FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363560110.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10b9e00fa52c48fcc85aa8274176488ad23a9faa93810710a7491b7f7526b89
Instruction ID: 6fe094c65b406130ff3dbaa3f827a344148e5e704aaeec85b90401b7ffed370c
Opcode Fuzzy Hash: b10b9e00fa52c48fcc85aa8274176488ad23a9faa93810710a7491b7f7526b89
Instruction Fuzzy Hash: B0212271614308DFDB15DF64D9C0B16FB61EB88354F20C57DEA0A4B242C37AD847CA62

Function 078197C8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf8d9ba0db32be8ddd3f5f6b8c9e0a378a8bf39411a341585760611fcd92ec9
Instruction ID: 7cfc1e87720731ceb54debd1b2dfa24fd7bbb993ef9c6bbf2b0f4239d46e7dfc
Opcode Fuzzy Hash: ecf8d9ba0db32be8ddd3f5f6b8c9e0a378a8bf39411a341585760611fcd92ec9
Instruction Fuzzy Hash: 21212CB0D1424DDFDB44DFA9C5506ADBBBAFF5A304F5090A9D40AEB251D730AA41CF90

Function 078121D8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168b9a543dbf7e1635b75e9dcc4488e956970792876e0c7eb1e373824fccd5c9
Instruction ID: 439502180649eef45ff76960c42a59d58c4490550fff50f13a1ee4a4dc720abd
Opcode Fuzzy Hash: 168b9a543dbf7e1635b75e9dcc4488e956970792876e0c7eb1e373824fccd5c9
Instruction Fuzzy Hash: 321122B17002004FC724CA58C8C4B2EFBEAFB99700F2484A9E55ACB790CA24EC418785

Function 078111D4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a076c37e1adbb6e2636d6e08afc2b77ee096f0566b316f71bcde980619a8fba
Instruction ID: e3faac1a29ba19df1e84adbeb61db14c2c7edac3772ea8f91798fb1c4ed5edcf
Opcode Fuzzy Hash: 6a076c37e1adbb6e2636d6e08afc2b77ee096f0566b316f71bcde980619a8fba
Instruction Fuzzy Hash: 8331E0B0D11358DFDB20DF9AC584B9EBBF4EF48714F248459E448BB240DBB99845CBA1

Function 0781F6F5 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32255c24d7022c8a3823b6f92e7370e79c58556c903ad69fa8e7e91628d6003b
Instruction ID: 9d0ab740f7b39855eb1e875fb61ee3988888bbb8e1ab85c5275385e98f301a20
Opcode Fuzzy Hash: 32255c24d7022c8a3823b6f92e7370e79c58556c903ad69fa8e7e91628d6003b
Instruction Fuzzy Hash: C2217FB490120ACFDB40DFA8D589AADBBF9FF19310F208225D549E7395D734A942CF40

Function 078104B0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b215bc2711ed02febf9722c1017fefd920d091c2ec3c0beadf1d57a365b41e74
Instruction ID: bdb97d451a95724649d2ce67b87eda3bc8f20f5fe28e8aeb5d95e7a351e80c56
Opcode Fuzzy Hash: b215bc2711ed02febf9722c1017fefd920d091c2ec3c0beadf1d57a365b41e74
Instruction Fuzzy Hash: 93219039D202068FDB05FBA8E8546EEBB36FF85704F158618E10673380EB70B995CB91

Function 07813310 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9005af2692344dd14c7e5a4e083598a85930a4899ed38a661d97aa0a3d0cbf4
Instruction ID: dc18cc65f162800c76fe345a6b21c185b0da044ea4ac641b7ad9faabe127e5df
Opcode Fuzzy Hash: b9005af2692344dd14c7e5a4e083598a85930a4899ed38a661d97aa0a3d0cbf4
Instruction Fuzzy Hash: 721191303102224BEB04AB6DE45572F76EBEBD8B18F10402AE142D77E9CDB6AC5247D2

Function 0781C990 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ace0911945746299b3c09db4e5dc5ff248124c481e371ca917060db6647bdf
Instruction ID: b6b66982a14914b344762c2815ae4f2279fac8f8fbdcc0ca5623ca6ab81faf0c
Opcode Fuzzy Hash: a0ace0911945746299b3c09db4e5dc5ff248124c481e371ca917060db6647bdf
Instruction Fuzzy Hash: 36211DB4D59249DFCB44DFA9C141ABEBBF9AF59300F60509AD409E7712D7309E40CBA1

Function 07816934 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1fab1da2b40898933d4e3e5ce257868b79cdef129438c8f5fded4f4d3aa84c
Instruction ID: 0b7a9630700a92124adc2eefefb5b3023395639e05e658aba6d2c896631348ee
Opcode Fuzzy Hash: 0b1fab1da2b40898933d4e3e5ce257868b79cdef129438c8f5fded4f4d3aa84c
Instruction Fuzzy Hash: BF31E0B0D113589BDB20CFAAC585B9DBFF4AF08714F24845AE448A7240DBB95845CBA1

Function 07815668 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930358413d2668d88b6bda9327c7208186ae0513d29ef70987fabd479b4a21f4
Instruction ID: 43022b536943107c0dbfb43392927243b3924ed70ca7c8ee64f9641b61697e7d
Opcode Fuzzy Hash: 930358413d2668d88b6bda9327c7208186ae0513d29ef70987fabd479b4a21f4
Instruction Fuzzy Hash: 8821F971E0020A9FCF45DFA9C8449AFFBF9FF99200B14865AE514E7215EB70A952CB90

Function 07813090 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa7884d8d44a4c4d8f5969a5a71b1885fe2b921b9132b2511049c408d46deb6
Instruction ID: ede5259d2ee2b7d376d5462fa99d66b3361cb462bbc7880d3d2a1f11f36efefd
Opcode Fuzzy Hash: 4fa7884d8d44a4c4d8f5969a5a71b1885fe2b921b9132b2511049c408d46deb6
Instruction Fuzzy Hash: 192147B67002159FCB24DF19C594A6AB7FEEF98A60F11442DEA4687B11C732FC41CB50

Function 07813070 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33867a825fdf3a801d06fe362878112ea6b43062a5d45a4fee7acaebaa2a1989
Instruction ID: e04bc46ad03dd7a76a5e59c59655b9a331e9dd27fdb3eaec2fe2f8283ce9e066
Opcode Fuzzy Hash: 33867a825fdf3a801d06fe362878112ea6b43062a5d45a4fee7acaebaa2a1989
Instruction Fuzzy Hash: DE113AB57006159FCB24CE19C584E6AB3FABF98A60F11842EE90AC7B10C732EC41CB50

Function 078104C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46257b098d5250e8e193c4fe8be49513f41db56f39ee6f6af7ab3619ab792a2a
Instruction ID: 21600807b3efaa18a76e849e8092325947529ebaca8876c948bb0a420f7d3c88
Opcode Fuzzy Hash: 46257b098d5250e8e193c4fe8be49513f41db56f39ee6f6af7ab3619ab792a2a
Instruction Fuzzy Hash: A721B039E202068FDB04FFA4E8146EABB36FF85704F158614E10673380EB70B595CB91

Function 012FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363560110.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0021535723e8a1ece34b15c71c197fe35bbac23b5be56a9b701ac760ab65288c
Instruction ID: 1a85ae016b5e13c84457a3d5061ca6e8bb294d208ea1232f202f8972c33cb3cf
Opcode Fuzzy Hash: 0021535723e8a1ece34b15c71c197fe35bbac23b5be56a9b701ac760ab65288c
Instruction Fuzzy Hash: DE2179755093848FCB06CF24D990B15BF71EB46314F28C5EED9498B2A7C33A980ACB62

Function 0781677F Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e249f33ecd63f959c38836f145ddc5d235ed979bbc2e2b6b22c5296d793275b
Instruction ID: 26fa8fa837ea7be9d5bfe83f189ac4f313e1198850cfa84cfdb0022adf03c885
Opcode Fuzzy Hash: 8e249f33ecd63f959c38836f145ddc5d235ed979bbc2e2b6b22c5296d793275b
Instruction Fuzzy Hash: 8B11C1B5A003568FCB11EFB898445BEBBFAEFC52207154929E858D7280EF3089058761

Function 07811AB8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c895fa6d2e76bdd29930cb51eff224dd15d0bbcf4a5b52342e83b27ef2a5dff5
Instruction ID: 5d8c89fc0ffdac396cae7042c26297d3d6b0605d81435fac784c5e9c36ee6a13
Opcode Fuzzy Hash: c895fa6d2e76bdd29930cb51eff224dd15d0bbcf4a5b52342e83b27ef2a5dff5
Instruction Fuzzy Hash: C211B2743107148FDB14AF79C85875A37DBEF8A710F1081A9E06ACB3E5CE70AC428B92

Function 0781B78F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1fbc56c3b14dc0365d2641e1a0c6d492001020d668fecbf143aa377a374466
Instruction ID: ac76e22ababa52e9ea4b008409685461e4ba91903f8b3963e4740f7e9e47ef20
Opcode Fuzzy Hash: df1fbc56c3b14dc0365d2641e1a0c6d492001020d668fecbf143aa377a374466
Instruction Fuzzy Hash: 92212CF4D18208CFDB14CF66D880BA9BFBABF96304F10D4A9D149AB311D73419858F41

Function 07815678 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00365b8ed5b3c7d0ddf36f428c3a1eeefe9553a4f77126f15fb1143991513034
Instruction ID: b89a946778b3a783294567cedeb9559a54902ed4cd618f5bb45bddaaa0445f96
Opcode Fuzzy Hash: 00365b8ed5b3c7d0ddf36f428c3a1eeefe9553a4f77126f15fb1143991513034
Instruction Fuzzy Hash: 6E21CC71E1020A9FCF44DFADC8448AFFBF9FF98210B10865AE518E7215E770A956CB90

Function 0781F4EA Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00fd7dedef5a323939d45425b36a8b327c3566d81581a08eaa62fa0d9e0b956
Instruction ID: a5815d14ca5ac14e175f089c544686daecc97ecd2921e276fbcca64953164c17
Opcode Fuzzy Hash: b00fd7dedef5a323939d45425b36a8b327c3566d81581a08eaa62fa0d9e0b956
Instruction Fuzzy Hash: 8D2165B5911209CFCB40DFA8D689AADBBF9FF49304F208229D449EB369E7309941CF50

Function 07813073 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0ee7cbed01dd64a923dcd26e3ae4c4f96946ae9f9d647a1bd6a0742afd7b54
Instruction ID: 30dcf7f3b379fc8360d1d8b5c343226715c623907bc95863379162bb2a217110
Opcode Fuzzy Hash: 7b0ee7cbed01dd64a923dcd26e3ae4c4f96946ae9f9d647a1bd6a0742afd7b54
Instruction Fuzzy Hash: FC1149B67006159FCB24CE19C580B6AB3FABF98A24F01842DE94AC7B50D736EC418B50

Function 0781CA48 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d743894c67b1dc4692ba1e384b1e643d438a70ea765f3c25340d1aba91cb33de
Instruction ID: b23e17383ba3b6cb140a97c55e1b3e71dee6582f8eec16f788ac62e02a7ee17f
Opcode Fuzzy Hash: d743894c67b1dc4692ba1e384b1e643d438a70ea765f3c25340d1aba91cb33de
Instruction Fuzzy Hash: 2B1134B0958209EFCB06DFAAC4419ADBFF9BB5A314F109A96C058D7252D3309A448BA1

Function 0781C9A0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d8741d125616edc8f7c7747b01069db0a36eddc4ebeaa54a3d8d9ce5f65e2d
Instruction ID: d340180f6a4b4f7865cc6be0b11196fe7cee9a3c0798e8381a4fe6ef1c0c3034
Opcode Fuzzy Hash: 60d8741d125616edc8f7c7747b01069db0a36eddc4ebeaa54a3d8d9ce5f65e2d
Instruction Fuzzy Hash: 0721D8B4D54209DFCB40DF99C181AAEBBF9BB59340F609055D909E7711D7309E40CFA1

Function 078166B0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882129202bd4b3d4156a68db475b9557434fc47fcff1e1ee26638016e9e0bd3a
Instruction ID: cc7c46196384428498e7c02e5c28efd77fe1267cb6e014e47b28c25b4039a772
Opcode Fuzzy Hash: 882129202bd4b3d4156a68db475b9557434fc47fcff1e1ee26638016e9e0bd3a
Instruction Fuzzy Hash: 3A114C71B0031A8FDB14EFB999106EEB6B6AB88711F20416AC445E7344EF319D01CB91

Function 07817254 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062dc8d579ab553550c02a394dd52b041c3ca13b0803e0e57e9641dd0a292fad
Instruction ID: de3a4de2a9c3b9d5a61551fd42ebbcc47523f05089856388470c1ba0f0ae9581
Opcode Fuzzy Hash: 062dc8d579ab553550c02a394dd52b041c3ca13b0803e0e57e9641dd0a292fad
Instruction Fuzzy Hash: F02114B59003499FCB10CF9AD885BDEBBF8FB59320F108419E918A7300C379A954CFA1

Function 012ED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363438681.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
Instruction ID: 2dfa58d5fc6aa34dd64ffc2461e9b50921741f7520366ee9763e85f4f439951c
Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
Instruction Fuzzy Hash: 9E11D376504284CFCB16CF54D9C4B16BFB1FB88314F24C6A9D9490B657C336D45ACBA1

Function 012ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363438681.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
Instruction ID: 13f6895a2af35987f5b23041e9d0071f0877d8f05d7ad80e05b7379a8d880040
Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
Instruction Fuzzy Hash: 8F110376404284CFCB06CF44D5C4B56BFB1FB94324F24C2A9D9090B257C33AE456CBA1

Function 07815F20 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaab2948aa9d96ac24214513b23c3b0270e7985426b44594df62efcbb4d9dd2b
Instruction ID: fad15765ee44f1515793fb8d5662143b7ac9bb50162950d4f81422380ea16107
Opcode Fuzzy Hash: eaab2948aa9d96ac24214513b23c3b0270e7985426b44594df62efcbb4d9dd2b
Instruction Fuzzy Hash: 5301E171B082508BD709E678985436E7F969BC6600F1980ACD109D7285EE344C468391

Function 07811AC8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9470757912b9578c3ffef142e613512c65edae6778bb87bc742425dcedb4483a
Instruction ID: a073625648a1994280d1794db2997a288955b35bcdf29a3789b66f5b7c727036
Opcode Fuzzy Hash: 9470757912b9578c3ffef142e613512c65edae6778bb87bc742425dcedb4483a
Instruction Fuzzy Hash: 721151343107158FD714AF7DC85475A33DBEF8A724F1081A9A06ACB3E5CE71AC418B92

Function 07814520 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0794ca54deda9f5987cc1a100138d69b5f030e308f1ba45a74f6af46fd5c5eb8
Instruction ID: 80eb58f5f16cf4cee85090f2f3b377540d26239472bc1690e01bfb9861785f61
Opcode Fuzzy Hash: 0794ca54deda9f5987cc1a100138d69b5f030e308f1ba45a74f6af46fd5c5eb8
Instruction Fuzzy Hash: 4011E5303203014BE704AB68D41979AB6E9AB64718F10851DD185CF3C6CAF6BC864B92

Function 0781DF20 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0b81de6663748ecc8524c38c42b57135bf5edb833b5aefdf7890d44273c91d
Instruction ID: 1bc707e04c04c6c1d0b482d5b259306f14f01f878d5fdb2af989fb59f505d932
Opcode Fuzzy Hash: 5f0b81de6663748ecc8524c38c42b57135bf5edb833b5aefdf7890d44273c91d
Instruction Fuzzy Hash: 17115BB0E18108EBCB04CF99C0847ADF7BDFBAA300F15D1A5D809D724AC730AB44CA64

Function 0781D131 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979090be3d70517952f0f977dc64af04d23acab929c0deba64e233b9201dd12f
Instruction ID: 2cdcf0b8273eeff016b821850b3c5afe570a82457c7d668016ca8ba285f8e683
Opcode Fuzzy Hash: 979090be3d70517952f0f977dc64af04d23acab929c0deba64e233b9201dd12f
Instruction Fuzzy Hash: BA11E0B4A18259CFCB10CF94C684BECBBBDBB6A315F105995D40AEB251D734A981CF30

Function 07811034 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fe9c5c18786855027a0c222bc0d10282ea48691962e5d1896d23137d690433
Instruction ID: b51b4ff9d8b87325eb0d587aba2da3cc609a317df7e56d586d6667c3a43768b9
Opcode Fuzzy Hash: f7fe9c5c18786855027a0c222bc0d10282ea48691962e5d1896d23137d690433
Instruction Fuzzy Hash: 731188703203115BE704B768D4187AB76E9ABA4718F10C51DD589DB3C6CEF6AC864792

Function 0781DD20 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca780f6f19dc60c9abaf3865d3c7fa7de7e9ced87618aa84726f6a1a7966166
Instruction ID: bfa3cc2a43cba81002af9a3367ab0c94c8b6a7bccc36f0d7ba0c3531f4cbc530
Opcode Fuzzy Hash: 7ca780f6f19dc60c9abaf3865d3c7fa7de7e9ced87618aa84726f6a1a7966166
Instruction Fuzzy Hash: 0B01BCF0A1D248DBCB01DB64D448BA8BBFCABAB348F109191C009CB163D7309A04DBA1

Function 07815910 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8e0e9ec732508e6d57fd37c767545c452d6ea32d91107a920452c451561ce7
Instruction ID: d1909d6e312457179008661689882376e4da0b4546486b086f09bf2e2233e3c4
Opcode Fuzzy Hash: 2f8e0e9ec732508e6d57fd37c767545c452d6ea32d91107a920452c451561ce7
Instruction Fuzzy Hash: 1301F1713102428FC315DB28E040E65B7B9AFD5620B2481ABD449C7321DB70EC07CB41

Function 0781F9BC Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0523a161031ca435a237ce92dcdbbdcf1ddba6dfdce6a3ca566b1c1af081675
Instruction ID: 04a619986f65f918d6d42dd002cd4b8ca3125de69a8ec96cc434fc82b20de67a
Opcode Fuzzy Hash: b0523a161031ca435a237ce92dcdbbdcf1ddba6dfdce6a3ca566b1c1af081675
Instruction Fuzzy Hash: E811F8F4A10308DFCB80DFA4D6496ACBBB9FB89300B20512AD40AAB715EB345C02CF10

Function 07813800 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefb59bd7478b0159cc5727ee27672252da2c3beb60002d30d1998cba8c6c188
Instruction ID: ad983d33a1fcf2d073c214070f0663cbd6bde19c92ca1c638456261ee10eaaa3
Opcode Fuzzy Hash: eefb59bd7478b0159cc5727ee27672252da2c3beb60002d30d1998cba8c6c188
Instruction Fuzzy Hash: F8014932B006049FCB167B79E4686AEBBFAEBC9391F04451EF50583315EF3498418781

Function 0781D492 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f20ff4f80f7afb44ab8a825dbc7d996e597443ebdc23d4478ea8e20af9973b5
Instruction ID: 19c6c19235dc752768b3d52a8d14a3cb9ccac58dfef1e55672d8c9acccd38046
Opcode Fuzzy Hash: 3f20ff4f80f7afb44ab8a825dbc7d996e597443ebdc23d4478ea8e20af9973b5
Instruction Fuzzy Hash: A00113B4A18248CFC744CB94D584BECBBBABB9E305F546499D80AE7302DB35AD40CF20

Function 07814990 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8889f4bfc06748a9dc6f7700fb24cc0d4f63c05e89733c33ef3946ddcda5565c
Instruction ID: b668d3ee111e95b7ff87ab3a45edb578fc0a4fd93a55d095221e2799083677a3
Opcode Fuzzy Hash: 8889f4bfc06748a9dc6f7700fb24cc0d4f63c05e89733c33ef3946ddcda5565c
Instruction Fuzzy Hash: 9101F4726002445BDB258E65D8C5FAA7FAAEB99324F184919E1DAC2220CB36AC11C750

Function 0781DDA8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794108e02b473d3cca2d3484f34448160de3e72d0e5a02ff30d2acc659869973
Instruction ID: 36e5a571b6f94e57d22204982c0c1569c8b52354f91e0827e12c239bc06fc13d
Opcode Fuzzy Hash: 794108e02b473d3cca2d3484f34448160de3e72d0e5a02ff30d2acc659869973
Instruction Fuzzy Hash: 1B01E875A14208EFCB04DFA8C688BA9BBF9AB5A305F15D094D4099B355D730DE01DB50

Function 07815920 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c0c4c5dd0da0ab8319275c91d821836334c67fce532f2b6a91301c567b5503
Instruction ID: 253ade7ea7e096fd25bde00dbf558e0f007b2c85baa9e97397696652a7c1c17a
Opcode Fuzzy Hash: 37c0c4c5dd0da0ab8319275c91d821836334c67fce532f2b6a91301c567b5503
Instruction Fuzzy Hash: 320181753203058FC718EF69E450E2AB3E9AFC5624B64C56AD409C7324DBB1EC06CB91

Function 0781DD30 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9c259ef7017924993a5654e6291a790cb3d505a7f158b3ba8049db826b67d4
Instruction ID: 812e2efd537cfdf4ba20be7492f24f56f288aec8f6f00473caece1aa6710eaaa
Opcode Fuzzy Hash: ab9c259ef7017924993a5654e6291a790cb3d505a7f158b3ba8049db826b67d4
Instruction Fuzzy Hash: 7FF04FF0A1D248DBCB04DF59C548BB9B7FCAFAB348F0091A49409DB212D7709A44DBA4

Function 078149A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266404939b24e29852e102cb6367951d754d66507c7e73f2f7ad70644c5bb5ef
Instruction ID: 8be1d3c42a7d437739c7cdee7f62d605664c408409bbdc9fd7c41411b371710d
Opcode Fuzzy Hash: 266404939b24e29852e102cb6367951d754d66507c7e73f2f7ad70644c5bb5ef
Instruction Fuzzy Hash: 60F0F6727006145BDB25CE55D880EAB7BEEFB89324F144419E55AC7220CB36EC10D750

Function 0781D71C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b35d28c70c08583e53b3f04c478f68282437b5d224afa97f380f6087ccc61d
Instruction ID: 0ccc6ac98cdf9b7ab7e40ee208ea687eaf459c5c68899794a147a88cf067e92a
Opcode Fuzzy Hash: e5b35d28c70c08583e53b3f04c478f68282437b5d224afa97f380f6087ccc61d
Instruction Fuzzy Hash: 3201C4B0B18258CFC754CF94C685AACBBBEBB5A305F555499D40AEB216DB34A940CF30

Function 078111E0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36bb0fa8ad0ff84fc009016c8e1113336b761803460d288a53b547d0631d37b
Instruction ID: f1b49a88389481fdbfb01695bcb17c41638d80f13ba6c805e735237418bb2a2e
Opcode Fuzzy Hash: a36bb0fa8ad0ff84fc009016c8e1113336b761803460d288a53b547d0631d37b
Instruction Fuzzy Hash: 07015A34A12209EFCB48EFA8E85A6ACBFB5BF44201F1045A9D405E7385EB706A44CB41

Function 0781F694 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf558327aba4f9d0a34cb5f1a4035abd6bd1fc67ad4aa6e378cbc5cb5d3b989
Instruction ID: 1a4ba0fe6884c79ffd4df0faf8950ac6ffbb7322164dd58add67c16553a6d644
Opcode Fuzzy Hash: abf558327aba4f9d0a34cb5f1a4035abd6bd1fc67ad4aa6e378cbc5cb5d3b989
Instruction Fuzzy Hash: 7D11F7F4A51218DBDB94DF24EE49B99B7B1FB88304F1082E9D50AA3B44DB349D81CF20

Function 0781D631 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60f2c967983ef3e08b11ab556fef287516e2dfbdd423333978733cda903e370
Instruction ID: dd3c75d9ebd25cf870055e9c6ccfd7a6b3d4d1adbd0a74c082b6276656ac5c3a
Opcode Fuzzy Hash: e60f2c967983ef3e08b11ab556fef287516e2dfbdd423333978733cda903e370
Instruction Fuzzy Hash: 8801C4B4A14218CFC714CF94C684AECB7BABB9E315F545499D40AA7201C734AD40CF20

Function 0781FA27 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83bad2617123225f935cbef25c79122394874817e608f686cea6a3c39142ebc
Instruction ID: 403849584de1fd441aad43252967c0a735d63c925e6e615e3344412afed6b817
Opcode Fuzzy Hash: e83bad2617123225f935cbef25c79122394874817e608f686cea6a3c39142ebc
Instruction Fuzzy Hash: 2F01EDF4A10318DFCB80DFA4D64D6ACBBB6EB88300B20512AD40BAB755DB345C42CF15

Function 07816678 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aefdabf3d1ace8ed4e68c3d72eee5a2f6ad56344f14306e51de635e2b302fba6
Instruction ID: db5daa0f7d7a7918803dce9f0a6dff3fa152b11935d7b1cc6a93fe159f4be820
Opcode Fuzzy Hash: aefdabf3d1ace8ed4e68c3d72eee5a2f6ad56344f14306e51de635e2b302fba6
Instruction Fuzzy Hash: 1AF090B6E053558ECB42EFF8A9002EE7FF4EF59210B0444BBC084E7111E2308614DBA1

Function 07818D40 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86cbcfb480a1ff6998009281f9135b9d3af20c76eeb9b810bfda05dc45eda781
Instruction ID: 7a51faee4909c7c4bfb2bfc80631aed0bc1808d4e0e95190c2b84ad793a6c80a
Opcode Fuzzy Hash: 86cbcfb480a1ff6998009281f9135b9d3af20c76eeb9b810bfda05dc45eda781
Instruction Fuzzy Hash: D0F0E9B2604145AFDF05DF68D841E99BFFADF45214F1481EBE505D7211E3309911C701

Function 078111F0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726c958cea91e71a81bcf20d0b4a79a52e4ff1d70d7133e040591da7e1ca0dd8
Instruction ID: 51b9293d267dcc5c05ee08218a507a2f68e2857e8d28626a088f5f5566e516c4
Opcode Fuzzy Hash: 726c958cea91e71a81bcf20d0b4a79a52e4ff1d70d7133e040591da7e1ca0dd8
Instruction Fuzzy Hash: 4EF03C34A22209EFCB48FFB8E4595ACBFB5BF44201B1141E9D40597385EF706A44CF41

Function 07814620 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff87fc1e42e51aba338e28de69f7f6ec6b8cb164dd3606ba81e6a97cfa7d6024
Instruction ID: 0362c4781792f0e307ca25cdc1d1bcab689cefe9e069eaac3569a597cfe94549
Opcode Fuzzy Hash: ff87fc1e42e51aba338e28de69f7f6ec6b8cb164dd3606ba81e6a97cfa7d6024
Instruction Fuzzy Hash: C4F0FEB16147458FAB19CF18D48299577E9FB05398B30095AE46ACF302D772E8138B84

Function 0781CEC8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f015b800ca0cb83b5625a67676c12fa081e1cc3ff16137f69f09be34d00878f
Instruction ID: 45fb55e1812dc23bbafd636e1b9735ce9cfd652cd757427a187c1b3a04efea11
Opcode Fuzzy Hash: 1f015b800ca0cb83b5625a67676c12fa081e1cc3ff16137f69f09be34d00878f
Instruction Fuzzy Hash: 7FF08935405348FFCF029F60E9056DD7F75FF06311F004196E900572A1C33689A0EB95

Function 078113E0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450637d2cfc81ebcac2402882f5ff11fae7f9c50b9599fb7ace4cd1c8b42eeb8
Instruction ID: 43a2f085786460f46e76955453c9407da18b8e9eb6f800d5b7a511df7fd87b93
Opcode Fuzzy Hash: 450637d2cfc81ebcac2402882f5ff11fae7f9c50b9599fb7ace4cd1c8b42eeb8
Instruction Fuzzy Hash: 85F0A03A311205DFD704EF78E840DAA37AEFF857503104479F5048B224DA71AC41CBD0

Function 0781D7C8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad7cf37eb16f57ddb955f6efb063525612babead192af3054e66216a5ae9d45
Instruction ID: b93b816ea700f05abbd7e27c6b8b98df9c2fb5e68669abe785bcca12b8fd28ac
Opcode Fuzzy Hash: 6ad7cf37eb16f57ddb955f6efb063525612babead192af3054e66216a5ae9d45
Instruction Fuzzy Hash: F4F0FFB4A18259CFC710CB90D288BACB7BABB9A305F109585E40AE7212CB34A940CF30

Function 07815A51 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1807aa2f785526f3a3b3c931902d38d805baccff0032da6f99e9b8057e89dc
Instruction ID: ddbb817b2a7388d863a3f992641198d8d90dd29cfb5fc1c87f4bbd6b08bd3b28
Opcode Fuzzy Hash: ea1807aa2f785526f3a3b3c931902d38d805baccff0032da6f99e9b8057e89dc
Instruction Fuzzy Hash: BBE0E53220C7424BD306DA69E84089AF7E6AED1524344862BD055CB691EB609C46C7D5

Function 07819770 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830e9646354a267c4ead753002ff87951f7494f430ab46af0ff6b18b86980966
Instruction ID: 739154926859d91f63ec9c94c9dc4755a87f3b8df6baa0fd295a6b87c246900d
Opcode Fuzzy Hash: 830e9646354a267c4ead753002ff87951f7494f430ab46af0ff6b18b86980966
Instruction Fuzzy Hash: B2E06DB4D1824CEFCB40DFA9D0512ACBBBCAF9A304F0494A9C808E3240E6306A40CF00

Function 07819168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a3fa3bd409bcff10ae19580769593cbd4310ebfc1dd38b58b50752db898078
Instruction ID: d1762491d51d7b65487af55e1fb0a46022d52848f73ec6fd5ea2e6e1d49f19ae
Opcode Fuzzy Hash: 17a3fa3bd409bcff10ae19580769593cbd4310ebfc1dd38b58b50752db898078
Instruction Fuzzy Hash: 49E06DB4C4938CEFC781DBB8D81A39D7FB8AB07201F1400D6C844D3291E6385A94CB92

Function 07814610 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f47d9264ec609208f75a1c25a0be65454424ff178fbdd09fb743e4640d3ba6e
Instruction ID: 8c494460b26dead2409a908d3a0112c9cf71402ccfa63fc220277ab0f654c494
Opcode Fuzzy Hash: 1f47d9264ec609208f75a1c25a0be65454424ff178fbdd09fb743e4640d3ba6e
Instruction Fuzzy Hash: 07E022B22083804FCB26CF64E4430A13FA2EB01248B1408AFE44ACF202E765D807CB81

Function 078144E0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ab0b64587b73ccab038e81d9112e77ca303060c67794d1c31df1cad65afcd4
Instruction ID: 2eb699a9fc831960bf4283d7a058cd4cf91e27c5e688a160a7383d0bccb7aa9a
Opcode Fuzzy Hash: b5ab0b64587b73ccab038e81d9112e77ca303060c67794d1c31df1cad65afcd4
Instruction Fuzzy Hash: 02E026307146140BC709277864387E63BDD8B8D240F0C406AE2498B390C96058024391

Function 07811388 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76792fb12f191b5f138d101edabc84669221623434abd886eafff5620a872490
Instruction ID: 4ac01f88f9d4d3eaf155e5fe75b1cffaf7421239c6af6259fa4ed260ad1378fd
Opcode Fuzzy Hash: 76792fb12f191b5f138d101edabc84669221623434abd886eafff5620a872490
Instruction Fuzzy Hash: 67F01575D00108ABCB01DFE4D8896EDBFB9FF09604F1082E6E945A2640EA306B55CB80

Function 0781B668 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74192cb822a6206311fbe069a6d89d16c34f57ec9bdd45e2ce35f87db513447a
Instruction ID: 1e7072d00c4be8b13ef4214c0d9a2491a67d607c94726ae54f9e7ed411687104
Opcode Fuzzy Hash: 74192cb822a6206311fbe069a6d89d16c34f57ec9bdd45e2ce35f87db513447a
Instruction Fuzzy Hash: 9BE046A605E3D05FD7436B7468293D47FB46A17259B084093C084CA0A3DB18C81AC7AA

Function 0781F228 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63bb498844566b6469b2048eac1559ecce1dad93634d4dad5877fcc4ac80dc2
Instruction ID: 9e23b71b0814e758750ee9da0401c2669ecf2f02f7ec66f1e952be455c8530db
Opcode Fuzzy Hash: e63bb498844566b6469b2048eac1559ecce1dad93634d4dad5877fcc4ac80dc2
Instruction Fuzzy Hash: 90E0C2B140A388EFD312EB74A4527AABFB9AB13205F4006E9C44483692D77A8854C7D7

Function 0781DA79 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5a829682983850ff745864512c1b138a2fa20d1236ccd20255459a8f66e8ac
Instruction ID: fba9a659314a486324a1b83d394c2c0541438cf5db6b56f0164dac48c9407bf5
Opcode Fuzzy Hash: fd5a829682983850ff745864512c1b138a2fa20d1236ccd20255459a8f66e8ac
Instruction Fuzzy Hash: 94E052F0E1A209DBCB18DFA9C1487ACB7B9AB5E205F109169D416E6261D7384541CF64

Function 078106F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8ff8501cac10ae24d4dc889ffc92bbb84e965e92290d2c89d14525527bf15b
Instruction ID: 2b2c1c88514c5594764be14dc68dbb52c7e65ad59a4f29891b26f88552c96a00
Opcode Fuzzy Hash: 0e8ff8501cac10ae24d4dc889ffc92bbb84e965e92290d2c89d14525527bf15b
Instruction Fuzzy Hash: 45D05B323501144FC3009BB8F848F9677DCDB49565B1544A6E20CC7265DA62DC108790

Function 07811398 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29345f3318ec9b5504644e0ad11d1c2c4c9448f9453ae723fce0c38a1b804ca
Instruction ID: 30c170f2fa1ea41d6d3f2c4b56239b48d0109588761d1c03eab2dd4d6464e0ec
Opcode Fuzzy Hash: f29345f3318ec9b5504644e0ad11d1c2c4c9448f9453ae723fce0c38a1b804ca
Instruction Fuzzy Hash: 33E07575D0120CEFCB40DFE4D9898DDBBB9FB48200F1081E6D815A2250EA305B55DB80

Function 07819178 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25551afb3cd073242da2e128c4be76bf3538f8d66751fbc757ea8a550403b67e
Instruction ID: 039cc4d7ad3621cd74bc6def9ee1f224f290288ee221a9b7c6cc3c73e7d605d0
Opcode Fuzzy Hash: 25551afb3cd073242da2e128c4be76bf3538f8d66751fbc757ea8a550403b67e
Instruction Fuzzy Hash: 96E0ECB495524DEFC784DFA8D54A79DBBB8AB06205F1040A9C808D3290E6345A90CB41

Function 078144F0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2711a1adde146b4c76a3af6a4256e80df695d214a35c394ced040f8487de6930
Instruction ID: 5fc50e41aef294d6f90824620a0ba215cbc64049c50fa12454a82de8bdc92e18
Opcode Fuzzy Hash: 2711a1adde146b4c76a3af6a4256e80df695d214a35c394ced040f8487de6930
Instruction Fuzzy Hash: 42D05E357142144BC70D664DA0147DB76DE8FD9650F15806EE609CB390C9A19C0147D6

Function 078158E1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5421035e7a65adde2c90e039f0a83b8956a8a9517490de6868157b5bd37680b7
Instruction ID: 5c2619564d940fc48ab9f94751f2f8ba1bad89cf8f57bdc28209d137a45353aa
Opcode Fuzzy Hash: 5421035e7a65adde2c90e039f0a83b8956a8a9517490de6868157b5bd37680b7
Instruction Fuzzy Hash: C8E01231249344EFDB829BB4D841CE57F74AF1B220B509286E544CF1E3C2328957DB52

Function 07814961 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3169fab196ef2b4e8335c5bb25d544d01f7d15c8851bd74d0febcf2606c6fed
Instruction ID: accdf0fa65cf4e2134414a52a426fd705798c50f0eecb2ab183e0716e02574ef
Opcode Fuzzy Hash: c3169fab196ef2b4e8335c5bb25d544d01f7d15c8851bd74d0febcf2606c6fed
Instruction Fuzzy Hash: 9BD0A932048148BBCF026FB0DC21BE87F3DEB19264F488050F3800C0A2C233A163DB81

Function 0781F238 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21270d03a4282c997c36f5dcaf9fd75776400bf7ec5159482098449e667da3c
Instruction ID: cc2f31d24d2ad732cccdbdef9859865e2164d5c6ab1c88de4cfdd3fd0681c9e9
Opcode Fuzzy Hash: c21270d03a4282c997c36f5dcaf9fd75776400bf7ec5159482098449e667da3c
Instruction Fuzzy Hash: E0D022B040230CEFC314EFA4C006B19B37CEB03200F8001ECC80483240CBB68D00CB9A

Function 078158F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8b57b02c5033c5d68843d50cb20abf8a8d3a4289acc40a1e3c571395dfb306
Instruction ID: 21873addcd74a1af25881160cda3a4ebde683575f94949f78995357b83732aec
Opcode Fuzzy Hash: fe8b57b02c5033c5d68843d50cb20abf8a8d3a4289acc40a1e3c571395dfb306
Instruction Fuzzy Hash: 09C0803624020CFFDB80AFD4CC41D55775DAB18710F50D000FA084E151C172F853DB52

Function 0781B688 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed517598aa3749725401f4496df7b26bc97dc97aca12baddf97159ce5b576b27
Instruction ID: 50b07c0378b348e95d18afb291e5414ec16c324bbd15d9ef901aa23102c95f1a
Opcode Fuzzy Hash: ed517598aa3749725401f4496df7b26bc97dc97aca12baddf97159ce5b576b27
Instruction Fuzzy Hash: F4C08CF60416858BC2902BA0B60E328B7BC771A302F800010D108810928F788014CA5E

Function 0781F54A Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef32fdc31b9d795a352e253a4dc5ae34a28cf727d7e233b5e528cb3af8343ad
Instruction ID: 8246c5a3748ce30aab0902c2e181ceb6a5871b311fca3f79b49e93cd1e3ed950
Opcode Fuzzy Hash: fef32fdc31b9d795a352e253a4dc5ae34a28cf727d7e233b5e528cb3af8343ad
Instruction Fuzzy Hash: 89D0C9F04193859FC7419F6CA49869CBFB9EF4A204B244659C48097619D630A8868B11

Function 07814970 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d0932c69d90bb2599d39434ff9b15e1e5c3a9c7a32c706a7c8612df06238b0
Instruction ID: 07c7ce6e5abcb5074881ebf635ef3c2a0f5822c0a39f4e32d0e07d44736007a6
Opcode Fuzzy Hash: d4d0932c69d90bb2599d39434ff9b15e1e5c3a9c7a32c706a7c8612df06238b0
Instruction Fuzzy Hash: 34C01232084108BBCB026A80CC01E19BF2EAB14290F108004F7040D0A2D273E563AB82

Function 07818D18 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabcfce9745f7927f1a18fd09502c121c4dc3d4be08acff93dac8c51630225c9
Instruction ID: 99b16550abf9827e94385496ebb177f93b8c152a86e6a9b6b515d1ab15716c82
Opcode Fuzzy Hash: aabcfce9745f7927f1a18fd09502c121c4dc3d4be08acff93dac8c51630225c9
Instruction Fuzzy Hash: 33C08C9514EBC186D30252B42809B206F20EFA3700F0902CF958184493E3240034D36B

Function 07814B58 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8954c72234f01283eaefeba04f7ad4259829d8e201c136ddc7c2620cb0ce6840
Instruction ID: 8f3d6c69366a37de22bbab64c6a55a2777319751fd2d40d5bdac5c69ce3888d0
Opcode Fuzzy Hash: 8954c72234f01283eaefeba04f7ad4259829d8e201c136ddc7c2620cb0ce6840
Instruction Fuzzy Hash: 2EC04CB9116105DE9601B7949594E1976F9FFA9340B42C855618585031EA61C418DB07

Function 07817224 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9825170188281a2c9e86c33b3949418a900522c5c75369b26cfe39d4a2925730
Instruction ID: d57d4517243b1f959d17e1416d07031da7a738a0be024c20191efb416d94b96a
Opcode Fuzzy Hash: 9825170188281a2c9e86c33b3949418a900522c5c75369b26cfe39d4a2925730
Instruction Fuzzy Hash: A6B012B91B5708E2D00533A44896E2F5065EFB6700F40EC49364B80050C5B48469D62B

Function 07812DD0 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234256d43ac4b6c9988c77b448fc701f979c28cbbc8e9c16bcc7052e2452f254
Instruction ID: 309fd53334aa76d7dac723da1f282f7cd85d8dcc7b33c2bd935f7f23d32da18c
Opcode Fuzzy Hash: 234256d43ac4b6c9988c77b448fc701f979c28cbbc8e9c16bcc7052e2452f254
Instruction Fuzzy Hash:

Non-executed Functions

Function 06FA6F98 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38fec94a84348f034dd76a338bd31a9e43dc88edc0607cfa4b5a3374c58d481
Instruction ID: b0cc860e5edd991df42046a37a33353a78443bd290ce2f34465525feb107e4b3
Opcode Fuzzy Hash: f38fec94a84348f034dd76a338bd31a9e43dc88edc0607cfa4b5a3374c58d481
Instruction Fuzzy Hash: EEE19CB5B017058FDB99EB79C850B6AB7F6AF88600F14846DD15ADB390DB35E802CB60

Function 0781FAA8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beee9521ba29cfe3ae6f81d3bb4abb99e0db4f293e6fa8ebdeb6075ce9c79f3e
Instruction ID: 25e505fa5fcf41abc7ba6a2b687b9e4b7063039cab300be7e7595fa559a1af48
Opcode Fuzzy Hash: beee9521ba29cfe3ae6f81d3bb4abb99e0db4f293e6fa8ebdeb6075ce9c79f3e
Instruction Fuzzy Hash: 53E1EBB4E102198FDB14DFA9C580AAEFBB6FF89304F248169D514AB355D731A942CFA0

Function 06FA24D0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7f0b44477e2f0b8c3f879901fd0a1a5fb47f637e7e2bd07be5206557681f85
Instruction ID: 7531b2db9466e057b6908930c4a26a3c078bb61ba68e724215be1d0ea7a6c4f3
Opcode Fuzzy Hash: 1c7f0b44477e2f0b8c3f879901fd0a1a5fb47f637e7e2bd07be5206557681f85
Instruction Fuzzy Hash: 59E1EAB4E142198FDB54DFA9C580AAEFBF2FF89304F248169E414AB355D731AA41CF60

Function 06FA0478 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04abdbdc2df3dd982468a7c2dc03b8e71d847503d8050bf3a08c0f6ce3cd951
Instruction ID: f3740ade966a63c38307ca6627840f2408a5621761a889f57e31ea5ac84b196c
Opcode Fuzzy Hash: d04abdbdc2df3dd982468a7c2dc03b8e71d847503d8050bf3a08c0f6ce3cd951
Instruction Fuzzy Hash: EAE1FCB4E102198FDB54DFA9D580AAEFBF2FF89304F248169D414A7355DB31A941CFA0

Function 06FA1B20 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b913d1290434f4ce122917ec3ad2a2b0059d7bca17531752e684a2503516b206
Instruction ID: de0f1f145ca4f934296fbd381b2fbee3331b7bc4d269909cb18628f606ad96a1
Opcode Fuzzy Hash: b913d1290434f4ce122917ec3ad2a2b0059d7bca17531752e684a2503516b206
Instruction Fuzzy Hash: 90E108B4E102198FDB54DFA9C580AAEFBF2FF89304F258269E414AB355D731A941CF60

Function 06FA0040 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06cb3d9a3e7162c343e8e00da4f203107e5c8fd624d178d091ba059d821a0d7a
Instruction ID: 6db5a24922fcd44196fbef91fde283240cedae359953bdec8806ae7ca76ab698
Opcode Fuzzy Hash: 06cb3d9a3e7162c343e8e00da4f203107e5c8fd624d178d091ba059d821a0d7a
Instruction Fuzzy Hash: B9E1FAB4E102198FDB54DFA9D580AAEFBF2FF89304F248169D814AB355DB31A941CF60

Function 07817710 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b68d86d50ced14ee324aae1e72cf82e1a8c728710b39a28eca721aa8735785
Instruction ID: 34adcdc51f24f1fbf3e2c6bdedb91ff32aa2371c663c4810c40c8dd3b59b5d7b
Opcode Fuzzy Hash: 44b68d86d50ced14ee324aae1e72cf82e1a8c728710b39a28eca721aa8735785
Instruction Fuzzy Hash: 2ED1E775D20B5A8ACB11EF64D954AE9B7B1FF95300F20C79AD44937210FB70AAC8CB41

Function 07817720 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d76dfef52082fdac048021e10388359fd1c219711325b546ff45d26ba6eda16
Instruction ID: 27456601ca9555426dae00286028edbf542d0ea75ed16082fd596405b3720e4d
Opcode Fuzzy Hash: 0d76dfef52082fdac048021e10388359fd1c219711325b546ff45d26ba6eda16
Instruction Fuzzy Hash: 62D1E735D20A5A9ACB11EF64D954AE9B7B1FF95300F20C79AD54937210FB70AAC8CB81

Function 013CDA4C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364116377.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611bab3cef86684ae52e77261dffff9426e9ca8eb640c8ba138cdac4a7b7d925
Instruction ID: d0b20adcf4db11efaef6ff7dea0ef54d19ad33f6b05a1e6f4327ddedc3dad46a
Opcode Fuzzy Hash: 611bab3cef86684ae52e77261dffff9426e9ca8eb640c8ba138cdac4a7b7d925
Instruction Fuzzy Hash: 0EA16C36E0020A8FCF19DFB9C84059EBBB6FF84704B15456EE905AB265DB71ED06CB80

Function 06FA0006 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79456bf0fd28990b3008dc784fdaa9e1d4e27ff853a9ba1215cab9d5ae76871
Instruction ID: 6df750d2e3d0f94809d2c443dcd4b3f872410eb6bf50d76b4f9ea1612a05ab7a
Opcode Fuzzy Hash: e79456bf0fd28990b3008dc784fdaa9e1d4e27ff853a9ba1215cab9d5ae76871
Instruction Fuzzy Hash: A3515FB1D043598FDB54CF69D9405EEBBF2BF8A304F2481AAD418AB256DB309D41CFA1

Function 0781FA88 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1378167985.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b65fc591e472854ff84558f97e3c449dc3c16d41cca0192734909910d055d1
Instruction ID: 8552f7bfb21b672597c9c879ef75d9f9266273f6b8339e4e52b8c7129ce2841d
Opcode Fuzzy Hash: 73b65fc591e472854ff84558f97e3c449dc3c16d41cca0192734909910d055d1
Instruction Fuzzy Hash: 05514CB1E002198FCB14CFA9C9406AEFBF6FF89304F24816AD508A7355D7319A41CFA1

Function 06FA24C0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7624e13beac292cea7e49bdca5fdbf63b1b97daa6ac015704250bba5405436a7
Instruction ID: 1d39384e997dc3dac0a79a4680d3e7231921896d8bd4d7143110ea6fd81d50b7
Opcode Fuzzy Hash: 7624e13beac292cea7e49bdca5fdbf63b1b97daa6ac015704250bba5405436a7
Instruction Fuzzy Hash: CD511AB1E102198FDB54CFA9C9805AEFBF2FF89300F24816AD418A7355D7309A42CFA1

Function 06FA48E0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc553626da0a7aba590bb7d26b25d856ccf57c14e897d0f16ab74f79cb6ebce
Instruction ID: 431371de5cb3a72c963b1ad0ae5e6ad3f38f9786a31b6307308b8a93e50d7e18
Opcode Fuzzy Hash: fdc553626da0a7aba590bb7d26b25d856ccf57c14e897d0f16ab74f79cb6ebce
Instruction Fuzzy Hash: 6AE0C9BAD4A314DFEB908E94E5497F8B7FCE78A322F003095C54EA3251C7705995CA80

Function 06FA49FA Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77f4fc0130b65704e38bb3f09430f54c174e4c18282ec012919c683429d8641
Instruction ID: 9bb0c57ae9655d5813c6077230627849d0838486171c733b262dc7c4e7243407
Opcode Fuzzy Hash: d77f4fc0130b65704e38bb3f09430f54c174e4c18282ec012919c683429d8641
Instruction Fuzzy Hash: 40E08CB6D0E304DFEB809EA4F0092F8B7BCE75B322F0030A2C14EE3211C27094608A94

Function 06FA4F28 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377756705.0000000006FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fa0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef21c64be52eba878658f499bf0742295d0431ec64a4ab55a40d82c21f4ffb1
Instruction ID: 955d18b0d009dc25698d0ed9da89197cdfc463ed1484c3d4357a76a7f208a6be
Opcode Fuzzy Hash: aef21c64be52eba878658f499bf0742295d0431ec64a4ab55a40d82c21f4ffb1
Instruction Fuzzy Hash: 7ED05E72D4F3D0DFDB434B6460190F8BF78CE8B226B4520E7C18EDB053C25191688795

Analysis Process: SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exePID: 8164, Parent PID: 7952COMMON

Executed Functions

Function 017C394B Relevance: 2.9, Strings: 2, Instructions: 430COMMON

Download Yara Rule

Strings

Xq, xrefs: 017C3CCD
Xq, xrefs: 017C3CF6

Memory Dump Source

Source File: 00000006.00000002.1458681483.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: dba884fd2d11f4affb5e2da83f67f600c85e33edd95629fcb5c8a759efa0fc78
Instruction ID: 04b5701fb9fd12c2de70a2f9e9c4a501d69333896b796b5533176397d327eb4c
Opcode Fuzzy Hash: dba884fd2d11f4affb5e2da83f67f600c85e33edd95629fcb5c8a759efa0fc78
Instruction Fuzzy Hash: E4E1BC315086D28BC3799A3ED55D56AFFA07B46B1C729E0DDC241CF9ABD522C843CB82

Function 017C3E09 Relevance: 1.7, Strings: 1, Instructions: 439COMMON

Download Yara Rule

Strings

Xq, xrefs: 017C3E47

Memory Dump Source

Source File: 00000006.00000002.1458681483.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Xq
API String ID: 0-599127549
Opcode ID: 434e8c8796f7deddb95f62f424afa37b0944f70ca9363a3a3e876cfe1c3aaa03
Instruction ID: 05edade51dd6fd0f08f2c227fe1027491411e602bd373cff443c1a599d202535
Opcode Fuzzy Hash: 434e8c8796f7deddb95f62f424afa37b0944f70ca9363a3a3e876cfe1c3aaa03
Instruction Fuzzy Hash: CDF16974F00219CFDB18DFB9D8946AEBBB2FF88710B14956DE406AB358CB349846CB51

Function 017C0C8F Relevance: .5, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1458681483.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4eb00915221ec4b17c88e3200f81dfead9198dec221ac3d05769add454e5a8
Instruction ID: 44167ebc4a661266f28e7392b3cec4ffebbf30cde68dafe5af20c43e3715568e
Opcode Fuzzy Hash: 1c4eb00915221ec4b17c88e3200f81dfead9198dec221ac3d05769add454e5a8
Instruction Fuzzy Hash: 3E52D374A10219CFDB54DF24E998BADB7B6FB4C302F1091A9D809A7354EB346E85CF81

Function 017C0CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1458681483.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428406a99a944863db664db625c49e819dbc92380c3fdb5ad9879e47d77ccf5b
Instruction ID: af1c8030deb4947d4f52612ebba16ca2d7dbc4ec0c6ef472ff6534cdb5a09b78
Opcode Fuzzy Hash: 428406a99a944863db664db625c49e819dbc92380c3fdb5ad9879e47d77ccf5b
Instruction Fuzzy Hash: 2E52D374A10219CFDB54DF24E998BADB7B6FB4C302F1091A9D809A7354EB346E85CF81

Function 017C2790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1458681483.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd1d39005d2487a062c19f04a061e6aab19b016ff045cc96205d26287ae301b
Instruction ID: 36d1d1594c3f3e2265cb16e0e6bc9ffc496524f460296eb8cdc7f91b52c52c2d
Opcode Fuzzy Hash: 2bd1d39005d2487a062c19f04a061e6aab19b016ff045cc96205d26287ae301b
Instruction Fuzzy Hash: 7A311370D042498FCB05EFA8D8946EEBFF4FF4A300F1441AAC545AB265EB341985CBA2

Function 017C28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1458681483.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbebb758a11b16851a59a7ed0c55596ae697799e187363eb9873bb7a66678486
Instruction ID: f85410add01144336104068cc43ff6d4f2eea4671cd0abb7ca28e5bc0e1de717
Opcode Fuzzy Hash: bbebb758a11b16851a59a7ed0c55596ae697799e187363eb9873bb7a66678486
Instruction Fuzzy Hash: FC217C35A001049FCB15DA68D8509EEBBB5EB9D7A0F20C06DD809AB241DB34EE468BD1

Function 017C4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1458681483.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b61d86c11abb71812486b6cc53e829dbf769d0a7896f8401cb04c969d81752
Instruction ID: 7e1086110b9c3cef4fc4e257de90a274724aeb1b4d9c7106cc1ac243de0aa590
Opcode Fuzzy Hash: c0b61d86c11abb71812486b6cc53e829dbf769d0a7896f8401cb04c969d81752
Instruction Fuzzy Hash: FC319478E01308CFCB44DFA8E5949ADBBB6FF49311B2094A9E819AB324D735AD41CF40

Function 017C27F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1458681483.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0022f5830aeb1b1a171df83477ce1c6de876d6a4fcc30a548d66da1afc3bf9
Instruction ID: dd8404e2fb6ecaf6b3b9775432c80e34281b674841a231cca2c6dd30d2dcb266
Opcode Fuzzy Hash: 1e0022f5830aeb1b1a171df83477ce1c6de876d6a4fcc30a548d66da1afc3bf9
Instruction Fuzzy Hash: 3321EF70C042498FCB05EFA8D9545EEBFF4BF0E310F1452AAD815B6214EB301A85CBA1

Function 017C28A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1458681483.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe57452953d245976e06ffd8ed17a9bb499134e76be8f24f673671facfe74ff
Instruction ID: 63dd01c4d3482b303d5991c7dac729209c5feaaf1325951989b929f8feef46b7
Opcode Fuzzy Hash: 4fe57452953d245976e06ffd8ed17a9bb499134e76be8f24f673671facfe74ff
Instruction Fuzzy Hash: 3EE0DF32D50366CFCB01EBA4DC400EEBB34AE86311B48459BC02537190EB742618C7A1

Function 017C28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1458681483.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5872e7c2561a3f1ae36dab0de677803d94ef2c602d9dd513d58c97273abdc1d6
Instruction ID: fe27369d7b8262936b771fb611b032e460adf0ab99204cf3f54e820d5babc0e3
Opcode Fuzzy Hash: 5872e7c2561a3f1ae36dab0de677803d94ef2c602d9dd513d58c97273abdc1d6
Instruction Fuzzy Hash: BAD01231D6022A978B01ABA5DC044DEBB38FE95361B504666D51437140EB70265986E1

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_f328b3eaafa9c91d9bd94872426a6bfa15601ef3_be39743d_62ab06af-1377-4cda-9754-2f756f7c2d73\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3ACB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C81.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CB1.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkdrzkk4.prl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwpywpgg.guy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phlhqcc5.izb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y133hkv3.ire.psm1

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe

Function 013CD138 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 013CD133 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 06FA2C44 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Function 06FA2C50 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 013C4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 013C590F Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 06FA29C0 Relevance: 1.6, APIs: 1, Instructions: 76
injectionCOMMON

Function 06FA29C8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 06FA23F2 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre